• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
Wrinkle In Time
 

Wrinkle In Time

on

  • 1,087 views

 

Statistics

Views

Total Views
1,087
Views on SlideShare
1,087
Embed Views
0

Actions

Likes
0
Downloads
0
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    Wrinkle In Time Wrinkle In Time Presentation Transcript

    • Wrinkle in Time
    • Wrinkle in Time
      • Why do we care about time?
    • Wrinkle in Time
      • We use the Time/Date data to;
        • Determine who used a computer.
        • Determine when a computer was used.
        • How long a computer was used.
        • Determine when an event occurred.
        • Determine a files’ use and/or source.
    • Wrinkle in Time
      • Today’s outline
        • General information on time
        • The Types of time
        • The Time Zones
        • Day Light Saving Time
        • Sources of Time
        • Places we find Time and Dates on a PC
    • General Stuff
      • All dates and times on a computer are dependent on its’ clock being accurately set and running. This can apply to the suspects’ computer clock, the clock of a server or your own forensic machine.
      • A clock that is correctly set now may not have been correctly set in the past.
    • Types of Time
      • There are many different types of time.
    • Base Time
      • GMT - G reenwich M ean T ime
      • UT – U niversal T ime
      • UCT – C oordinated U niversal T ime
    • Greenwich Time
      • GMT - G reenwich M ean T ime
      • Greenwich, England has been the home of Greenwich Mean Time (GMT) since 1884.  GMT is sometimes called Greenwich Meridian Time because it is measured from the Greenwich Meridian Line (longitude 0) at the Royal Observatory  in Greenwich, England. One property of GMT is that it remains the same all year around, Daylight Saving time does not affect it. It is the starting point of time (well, kinda the start).
      • Setting your time to “London” does not mean GMT,
      • Why?
    • Greenwich Time
      • GMT - G reenwich M ean T ime
      • Greenwich, England has been the home of Greenwich Mean Time (GMT) since 1884.  GMT is sometimes called Greenwich Meridian Time because it is measured from the Greenwich Meridian Line (longitude 0) at the Royal Observatory  in Greenwich, England. One property of GMT is that it remains the same all year around, Daylight Saving time does not affect it. It is the starting point of time (well, kinda the start).
      • Setting your time to “London” does not mean GMT,
      • Why? London observes Daylight Saving Time.
    • Universal Time
      • UT - U niversal T ime
      • Another name for GMT
      • Done by star observations, this is traditional time.
    • Coordinated Time
      • UTC - C oordinated U niversal T ime (yes, I agree, blame the frogs)
      • Replaced Greenwich Mean Time (GMT) as the World standard for time in 1986. It is based on an atomic clock measurements rather than the earth's rotation. To align it with “traditional time” based on the earth rotation, the time is adjusted once a year.
    • AM - PM
      • 12:01( just past midnight ) is this AM or PM?
    • AM - PM
      • 12:01( just past midnight ) is this AM or PM?
      • AM
    • Time Format
      • Time formats
        • 24 hour (military)
          • Day starts at 00:00:00
          • 00:00, Midnight
          • 12:00, Noon
          • Day ends at 23:59:59
        • 12 hour (civil)
          • Uses PM / AM
            • AM : ante meridian, Starts at 12:00:01(past Midnight)
            • PM : post meridian Starts at 12:00:01(past Noon)
    • Time Format
      • 24 hour format (Day starts at 0000)
      • 0000 0300 0600 0900 1201 1500 1800 2100 2359
      • 12:00 3:00am 6:00am 9:00am 12:01pm 3:00pm 6:00pm 9:00pm 11:59pm
      • 12 hour format
    • Time Format
      • It’s 12:00 in the morning, is it AM or PM?
    • Time Format
      • It’s 12:00 in the morning, is it AM or PM?
      • Neither
      • Midnight and Noon are not AM or PM
    • Time Zones
      • Time Zones are geographically assigned.
      • Invented by Sir Sanford Fleming(1888) to help with train schedules. Prior to time zones every one kept their own time for an area, thousands of areas, thousands of different local time.
    • Time Zones
      • There are 24 major time zones.
      • There are a few weird ones as well.( 1/2 hour zones )
      • Here are some Abbreviations for times zones in the US.
        • AST- Atlantic Standard Time
        • EST- Eastern Standard Time
        • CST- Central Standard Time
        • MST- Mountain Standard Time
        • PST- Pacific Standard Time
        • AKST- Alaskan Standard Time
        • HAST- Hawaii-Aleutian Standard Time
    • US Time Zones
      • The boundaries are fixed, give or take a little
      • Generally they change every 15 o
      Time Zones in the US
    • US Time Zones
      • The Continental US has four Standard Time zones
        • Eastern, -5 hours from GMT 7pm
        • Central, -6 hours from GMT 6pm
        • Mountain, -7 hours from GMT 5pm
        • Pacific, -8 hours from GMT 4pm
      • There are also additional time zones for Alaska, Hawaii, the Virgin Islands and Samoa.
        • Atlantic, -3 hours from GMT 9pm
        • Alaska, -9 hours from GMT 3pm
        • Hawaii/Aleutian -10 hours from GMT 2pm
        • Samoa -11 hours from GMT 1pm
    • Places with “special” Time Zones
      • The following states have two time zones within them, usually split by county.
        • Kansas, Alaska, Florida, Idaho, Indiana, Kentucky, Michigan, Nebraska, North Dakota, Oregon, South Dakota, Tennessee, Texas
      • Cross a street, you are in a new time zone.
        • Beacon Hill and Mexico Beach, Florida. Cross the street (18’ of asphalt) and you are in a different city and time zone. One is eastern and the other central.
    • International Time Zones
      • International times zones can be even more complicated.
    • International Time Zones
      • The preceding maps show the general boundaries. The actual boundaries can be quite different. For example, Australia has some very different time zone boundaries. In fact they have zones that are only ½ hour different. So does Canada.
      11:03 08:03 10:03 09:33 10:33
    • International Time Zones
      • Lets skip the rest of the world for now.
    • Daylight Saving
      • Daylight Saving Time begins in the United States at 2 a.m. on the first Sunday of April. Time reverts to standard time at 2 a.m. on the last Sunday of October. Time changes at 2 a.m. local time.
      • In the European Union , Daylight Saving Time begins and ends at 1 am Universal Time (Greenwich Mean Time). It starts the last Sunday in March, and ends the last Sunday in October. In the EU, all time zones change at the same moment.
      • HOWEVER, Congress changed our dates…….
    • Daylight Saving
      • On August 8, 2005, President George W. Bush signed the Energy Policy Act of 2005 . This Act changed the time change dates for Daylight Saving Time in the U.S. Beginning in 2007, DST will begin on the second Sunday of March and end the first Sunday of November . The Secretary of Energy will report the impact of this change to Congress. Congress retains the right to revert the Daylight Saving Time back to the 2005 time schedule once the Department of Energy study is complete. So 2008 is up for grabs.
    • Daylight Saving Time
      • Daylight Saving Time is NOT observed in;
      • All of Hawaii
      • All of American Samoa
      • All of Guam
      • All of Puerto Rico
      • All of The Virgin Islands
    • Daylight Saving Time in AZ
      • Daylight Saving Time IS observed in the
      • Navajo Indian Reservation in Arizona, New Mexico and Utah.
      • Daylight Saving Time is NOT observed
      • anywhere else in the State of Arizona
      • The Hopi Partitioned Land in the
      • middle of the Navajo Reservation
      • does NOT observe Daylight Saving Time.
      • So AZ does not, Navajo does, Hopi does not
      • Got that ?
    • Daylight Saving Time in Indiana
      • Daylight Saving Time in Indiana, well….
      • 77 of 92 counties do NOT change (white)
      • 15 counties do change
        • Yellow
          • Gibson, Jasper, Lake, LaPorte, Newton, Porter, Posey, Spencer, Vanderburgh and Warrick county
        • Blue
          • Clark, Dearborn, Floyd, Harrison and Ohio county.
    • Time Problems
      • Add time zones, daylight saving and date/time format all together and you have some complicated points to navigate when analyzing time and dates in digital evidence.
      • You’ll need to know how your software is affected and where was the computer used, what location and when.
      • To help, use this web site
      • http://www.timeanddate.com/time/dst2006a.html
    • Time Problems
      • So what can happen if we get it wrong…..
    • Time Problems
      • So what can happen if we get it wrong…..
      • Palestinian Terrorists
      • In September 1999, the Palestinian West Bank was on daylight saving time while Israel had just switched back to standard time. West Bank Palestinians prepared time bombs and smuggled them to Arab Israelis, who misunderstood the time on the bombs. As the bombs were being planted, they exploded—one hour too early—killing three terrorists instead of the intended victims—two busloads of people.
    • Time Problems
      • Time Change Riots
      • Patrons of bars that stay open past 2:00 a.m. lose one hour of drinking time on the day when Daylight Saving Time springs forward one hour. This has led to annual problems in numerous locations, and sometimes even to riots. For example, at a "time disturbance" in Athens, Ohio, site of Ohio University, over 1,000 students and other late night partiers chanted "Freedom," as they threw liquor bottles at the police attempting to control the riot.
    • Time Problems
      • Manslaughter
      • In California, a Chevrolet Blazer packed with teenagers struck the median of a street and flipped over, tragically killing one teen and injuring several others. The teen driver, fighting charges of felony vehicular manslaughter, claimed that the street was dangerously wet and unsafe due a lawn sprinkler system. The landscaper responsible for the computerized sprinklers testified that the sprinklers were set to come on more than fifteen minutes after the fatal accident. The outcome hinged on whether the sprinklers' timer had been adjusted for a recent Daylight Saving Time change, for without the DST adjustment, the sprinklers had close to 45 minutes to make the road slick.
    • BREAK
      • Why did I take this class………
    • Sources of Time
    • Sources of Time
      • Best source is atomic based time
        • Internet time server
        • WWV & WWVB (radio time)
          • WWV on 5, 10, 15 and 20 MHz
          • WWVB on 60 MHz
        • Official US time from the web
          • http://nist.time.gov
    • Sources of Time
      • Other sources of time
        • Phone time (767-1212)? Not accurate
        • Cell phone? Not accurate
        • Radio News (start of every hour)? No
        • Observe Sunrise, Noon, Sunset? No…..
    • Sources of Time
      • Buy a automatic clock and check it against the “nist.time.gov” web site prior to going out.
    • Wrinkle in Time
      • File System Times and Dates
    • File System Times and Dates
      • In this class we are discussing the Microsoft family of operating systems(OS). Other OS’s will be similar but not identical.
      • The following applies when applications and system programs operate using the file systems standard calls. No funny business.
      • You can access files directly without changing any dates and times with custom written programs.
      • All of this relies on the system clock accuracy.
    • File System Times and Dates
      • The system clock does lose or gain time over time…… errr
      • The system clock can gain or lose time.
      • File time and dates rely on the system clock.
      • Some time and dates inside files are independent of the systems clock. More on that later….
      • The following may not always apply, your mileage may vary.
    • Not Again….
    • Where do we find Times and Dates
      • Directories and Folders
      • Within logs files (there are a lot)
      • Within Document files
      • In memory swap files
      • In Data Bases
      • In Emails
      • In Firmware
      • In the MFT$
    • Times and Dates in Directories (FAT)
      • Directories and Folders are two terms for the same thing. Directory is the term used in DOS and Folders is used for Windows GUI*.
      • In FAT file systems you will find MAC dates and times kept in the directory.
      • In NTFS file systems you will find MACE dates and times kept in the Master File Table.
      • MAC(E)
        • M odified
        • A ccess
        • C reation
        • E ntry modified
      * Graphical User Interface
    • Times and Dates in Directories (FAT)
      • M odified
      • Modified, the last time the file was opened to be written to.
      • A file can be open to be “Modified” but not modified by an application.
    • Times and Dates in Directories (FAT)
      • A ccess
      • Access, the last time the file was opened. It does not matter whether it was for reading and/or modifying. Even viewing a files properties will change the last access date.
    • Times and Dates in Directories (FAT)
      • C reation
      • Creation, the recorded date and time that the file was created on this media and/or in a specific partition or directory.
    • Times and Dates in Directories (NTFS)
      • In addition to the MAC times and dates you will find a Entry Modified time and date.
      • This is occurs when a change is made to the Master File Table(MFT).
      • There is also a “ Filename ” date and time in the MFT. This is written at the time the filename was created and not touched again in the MFT.
      • This is normally not seen but is there… Uhmmmm
      • ProDiscover is the only forensic tool I know of that presents it to you. There is also a Encase script available somewhere… At least that is
      • what I was told.
    • Log Files
      • The OS keeps a number of log files with times and dates, here are a few;
      • Info2.dat (Recycle Bin)
      • Event Logs files
        • system.evt, application.evt and security.evt
      • Applog files
      • Index.dat
      • Offitems.log
      • The Registry entries can contain a last modified date.
      • Link files (.lnk) or commonly called “shortcuts”.
    • Document Files
      • Office document files can contain MAC times and dates as well as last printed times and dates. Some files containing times and dates;
        • Word, Excel, PowerPoint, Word Perfect, HTML documents, Visio diagrams, MS Publisher files, Open Office documents.
    • Data Bases Files
      • Various data bases can contain times and dates within the data base files.
        • Access, SQL and Oracle
        • PST, NSF, DBX, MBX
        • Quicken, Versa Check
    • Memory Swap Files
      • System Swap file can contain dates and times from files held in memory. Index.dat files are a good example of this.
      • Look in the
        • Win 2k, XP – Pagefile.sys
          • temppf.sys if they moved the location of Pagefile.sys
        • Win 98, 95 – Win386.swp
        • Win 3.1 – 386spart.par & Win386.swp
    • Email Files
      • Email files contain dates and times. They will be on the received lines and can also be in the body of the email.
      • The dates and times in an email can also be independent of the host computers clock. These would come from mail servers the email was processed by.
    • Hard Drives
      • SMART data on hard drives keep track of running time. Modern drives keep track of how long they have been operating.
      • The MyKey Technology NoWrite tm write blocks allow you to get this data.
    • Wrinkle in Time
      • Calculating the Time and Date from encoded values.
      • Time and Dates are usually encoded but there are a number of different ways it is done.
      • It’s all comes down to doing a little math.
    • Wrinkle in Time
      • How many different types of encoded dates and times are there?.
    • How Many would you like?
    • Date & Time Formats
      • Windows 64bit (Little Endian)
      • Windows 64bit (Big Endian)
      • Windows Cookie (LoValue, HiValue)
      • Windows File time
      • Unix Numeric
      • Unix 32bit (Little Endian)
      • MAC Absolute
      • MS-DOS 32bit
      • HFS 32bit (Little Endian)
      • HFS 32bit (Big Endian)
      • HFS+ 32bit (Little Endian)
      • HFS+ 32bit (Big Endian)
    • Windows Time and Date formats
      • This is why programs like Encase, FTK and ProDiscover are nice, they do the hard work for us.
    • Windows Time and Date formats
      • Craig Wilson also provides a FREE tool for this;
      • http://www.digital-detective.co.uk/freetools/decode.asp
      • Thank you Craig.
    • Misc. Time and Date Issues
      • Each application or operation will affect the time and date differently.
      • Setting your time to London does not mean GMT(or UTC), London observes Daylight Saving Time. Set it to Casablanca which does not.
    • Misc. Time and Date Issues
      • In a future presentation I plan to cover specific details on the files containing dates and times. This will include a list of the files, where they usually reside and how to extract the dates and times.
      • We will also look at the programs that can change the Time and Dates stamps and how to tell if one has been used.
    • Misc. Time and Date Issues
      • Thank you for your attention.
      • Mark Menz
      • 916-983-0348
      • [email_address]
      • Go check out - http://www.nowrite.com
      • ………. And remember…………= 
    • NoWrite FPU
      • Hard drive write blocker
      • FireWire to both PATA and SATA drives
      • Meets NIST standards for hardware write blocking
      • Provides DriveID and Smart data
      • Fast, reliable
      • From the inventors of hard drive
      • write blocking.
      • $249.95
      • Yea, it’s a shameless plug……
      • Next month . . . . . . Two power points.
      • Investigative: Web bugs, Server hiding.
      • Forensic: Link files are your friends