This document discusses time stamps on Windows systems and how to analyze them for forensic investigations. It explains that the real-time clock on the motherboard keeps system time, but it can be inaccurate and reset by users in the BIOS. The operating system synchronizes time with internet time servers. File creation times update under certain conditions but not others. While timestomping tools can alter MAC times, they do not change the file name attribute times in the MFT, allowing original times to still be identified. Independent testing of time stamp behavior is important for building forensic knowledge.
A Presentation on Registry forensics from one of my lectures. Thanks to Harlan Carvy and Jolanta Thomassen for wonderful researches in the field. The work is based on their researches
Dell EMC Elastic Cloud Storage - Kemp at Network Field Day, DellTechWorldKemp
Kemp is the only load balancer (ADC) vendor in the Select Partnership. We are working closely with Dell EMC to provide a better customer experience with a joint solution
Memory Forensics for IR - Leveraging Volatility to Hunt Advanced ActorsJared Greenhill
This presentation outlined how performing memory forensics on a single memory image broke open an extremely large intrusion in the non-profit space. Tools, techniques and procedures (TTP’s) of an advanced actor intrusion will be highlighted during a technical deep-dive of memory analysis and related workflow.
Ultimately, in a forensic examination, we are investigating the action of a Person
Almost every event or action on a system is the result of a user either doing something
Many events change the state of the Operating System (OS)
OS Forensics helps understand how system changes correlate to events resulting from the action of somebody in the real world
Current Forensic tools: evaluating computer forensic tool needs, computer forensics software tools, computer forensics hardware tools, validating and testing forensics software E-Mail Investigations: Exploring the role of e-mail in investigation, exploring the roles of the client and server in e-mail, investigating e-mail crimes and violations, understanding e-mail servers, using specialized e-mail forensic tools. Cell phone and mobile device forensics: Understanding mobile device forensics, understanding acquisition procedures for cell phones and mobile devices
In-depth forensic analysis of Windows registry filesMaxim Suhanov
Uncovering the details of how a registry file is organized, how to locate & recover deleted data, and why third-party offline registry editors & viewers are failing to do their job well.
Errata.
- Page 8: "Zero-based", should be: "Zero-based, unset bits not counted".
- Page 12: "multiple delete records (entities)", should be: "multiple deleted records (entities)".
Facebook Forensics Toolkit(FFT) is a very simple Forensic Tool to find out people's personal and behavioral information through extracting data from their Facebook profile .
A Presentation on Registry forensics from one of my lectures. Thanks to Harlan Carvy and Jolanta Thomassen for wonderful researches in the field. The work is based on their researches
Dell EMC Elastic Cloud Storage - Kemp at Network Field Day, DellTechWorldKemp
Kemp is the only load balancer (ADC) vendor in the Select Partnership. We are working closely with Dell EMC to provide a better customer experience with a joint solution
Memory Forensics for IR - Leveraging Volatility to Hunt Advanced ActorsJared Greenhill
This presentation outlined how performing memory forensics on a single memory image broke open an extremely large intrusion in the non-profit space. Tools, techniques and procedures (TTP’s) of an advanced actor intrusion will be highlighted during a technical deep-dive of memory analysis and related workflow.
Ultimately, in a forensic examination, we are investigating the action of a Person
Almost every event or action on a system is the result of a user either doing something
Many events change the state of the Operating System (OS)
OS Forensics helps understand how system changes correlate to events resulting from the action of somebody in the real world
Current Forensic tools: evaluating computer forensic tool needs, computer forensics software tools, computer forensics hardware tools, validating and testing forensics software E-Mail Investigations: Exploring the role of e-mail in investigation, exploring the roles of the client and server in e-mail, investigating e-mail crimes and violations, understanding e-mail servers, using specialized e-mail forensic tools. Cell phone and mobile device forensics: Understanding mobile device forensics, understanding acquisition procedures for cell phones and mobile devices
In-depth forensic analysis of Windows registry filesMaxim Suhanov
Uncovering the details of how a registry file is organized, how to locate & recover deleted data, and why third-party offline registry editors & viewers are failing to do their job well.
Errata.
- Page 8: "Zero-based", should be: "Zero-based, unset bits not counted".
- Page 12: "multiple delete records (entities)", should be: "multiple deleted records (entities)".
Facebook Forensics Toolkit(FFT) is a very simple Forensic Tool to find out people's personal and behavioral information through extracting data from their Facebook profile .
Autopsy 3: Free Open Source End-to-End Windows-based Digital Forensics PlatformBasis Technology
Autopsy™ is the premier free and open source end-to-end digital forensics platform built by Basis Technology and the digital forensics open source community. The platform has been in development since OSDF Con 2010, based on intense interest and collaboration from the digital forensics community, which determined the need for an open source end-to-end forensics platform that runs on Windows systems.
Autopsy version 3 is a complete rewrite from version 2 and is built to enable the creation of fast, thorough, and efficient hard drive investigation tools that can evolve with digital investigators’ needs. The standard installation includes features that rival commercial closed source offerings, without the associated costs.
FEATURES
Triage capability and real-time alerting
Automated workflow based on The Sleuth Kit™
Windows installation
Case management and report generation
Recent user activity extraction including: web history, recent documents, bookmarks, downloads, and registry analysis
Keyword and pattern search including: phone numbers, email addresses, URLs, and IP addresses
Hash lookup
Interesting files detection and timeline viewing
...and much more
For digital forensics investigators and analysts, there are numerous advantages to using open source software and software built on open source platforms like Autopsy and The Sleuth Kit:
• Transparent evidence extraction: Open source platforms allow you to look at the source code and to verify that the software is performing its functions in a forensically sound way. This can prove to be critical when testifying or preparing for litigation.
• Easily extensible: Open source platforms grow organically and as the needs of their consituents and users change, so does their functionality.
• Active community of users and developers: In addition to commercial support offered by Basis Technology,
there is a wealth of information that is available in a community that has evolved over the last 11 years where both users and developers are actively working to improve the software platform. This free knowledge base is an extremely powerful value add to your purchased enterprise support.
Citrix is an American corporation that produces software designed to facilitate secure access to applications and content. Citrix offers products for Windows, Macintosh, and Linux platforms. The company was founded in 1989 and currently has branches in several countries.
All data and programs are stored in a computer as Files and Folders.
Folders are containers (holders) of files.
Files and folders can appear at any level, similar to a family tree.
It has a path because you are taking exact path to find this file.
April 29, 2018 Remember that you must enter the answers t.docxtarifarmarie
April 29, 2018
Remember that you must enter the answers to your questions in Canvas. This file has been provided to allow
you to perform the hands-on tasks before starting the Canvas quiz. Also remember that this is a test, and you
are required to do your own work. It’s open book and open note, but you must NOT collaborate with any other
students, or receive outside assistance.
1. This is a "real" test, which means you must do your own work. It's an open book test, so you can use any
resources such as books, your notes, or the computer. However, you must do your own work. This means
that you must not ask other students, instructors, acquaintances, paid consultants, Facebook friend s, etc.
for help. Any violations of the CBC Academic Honesty Policy will result in a failing grade for the course.
(NOTE - There are several question on this test that require looking up data, such as the speed of various
memory types. If you don't want to memorize this information you can look it up.)
If you use any Internet resources, make sure that you do NOT copy and paste information unless
instructed. You can use the Internet, but you must put all answers in your own words. You will receive no
credit for any answers with copied material.
The test must be completed by 11:59 on the due date to receive full credit. Late tests will be accepted, but
only for seven calendar days after the original due date. Late tests will automatically lose 10 points. La te
tests will not be accepted after 7 days and you will fail the class.
A. I agree
B. I disagree
2. What is Registry?
A. A hierarchical database used by every computer to store settings and data
B. A hierarchical database used by computers running Windows to store settings and data
C. A relational database used by every computer to store settings and data
D. A relational database used by computers running Windows to store settings and data
3. True or False. Any program that runs on Windows will store all of i t’s data in registry.
1. True
2. False
4. Which of the following methods can be used to add or change registry data?
1. Use regedit to manually create or edit a registry key
2. Use a program such as any application in Windows Control Panel
3. Write a program that uses one the registry API functions
4. All of the above
5. True or False. All of the data in registry is stored in files when Windows shuts down gracefully.
1. True
2. False
6. Which registry key holds the list of URLs the currently logged on user typed into Internet Explorer? (Note
- HK is an abbreviation for HKEY)
1. HK_CLASSES_ROOT\Software\Microsoft\Internet Explorer\TypedUrls
2. HK_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\TypedUrls
3. HK_CURRENT_CONFIG\Software\Microsoft\Internet Explorer\TypedUrls
4. HK_ USERs\Software\Microsoft\Internet Explorer\TypedUrls
5. HK_CURRENT_USER\Software\Microsoft\Internet Explorer\TypedUrls
6. None of the.
PCD – Process Control Daemon is a light-weight system level process manager for Embedded-Linux based projects (consumer electronics, network devices, etc.).
PCD starts, stops and monitors all the user space processes in the system, in a synchronized manner, using a textual configuration file.
PCD recovers the system in case of errors and provides useful and detailed debug information.
PCD – Process Control Daemon is a light-weight system level process manager for Embedded-Linux based projects (consumer electronics, network devices, etc.).
PCD starts, stops and monitors all the user space processes in the system, in a synchronized manner, using a textual configuration file.
PCD recovers the system in case of errors and provides useful and detailed debug information.
841- Advanced Computer Forensics
Unix Forensics Lab
Due Date: Please submit your answers to the Linux Lab dropbox by midnight of July 2nd 2013.
******************************************************************************
To challenge yourself, you may work on the advanced Unix forensics lab analyzing the Lewis USB image and writing a report about this case. See the file UNIXForensicslab-usb for details.
******************************************************************************
Objective
This lab will use Autopsy, PTK, Sleuthkit and foremost to analyze a given image. Read the entire document before starting to be sure you have all the necessary tools and files required to complete the lab. You should further explore the tools used in this lab to ensure your familiarity with alternative investigation options.
Deliverable
Answer all the exercise questions and include screenshots as supporting data if necessary.
OPTIONS:
You can work on this lab by
1. using a bootable live CD, for example, backtrack 5
2. using the RLES vCloud.
3. using SANS Investigate Forensic Toolkit (SIFT) Workstation, http://computer-forensics.sans.org/community/downloads.
4. installing the software on your own system (check the appendix for more installation details).
If you choose to use the RLES vCloud, please continue.
Lab Setup for using RLES vCloud
This lab is designed to function on the RLES vCloud via https://rlesvcloud.rit.edu/cloud/org/NAT. Please FIRST read the RLES VCLOUD user guide in myCourses > Content > Hands-on Labs.
Special Browser Setting Requirement (See RLES VCLOUD user guide)
In order to view the console of virtual machines, the VMRC plugin must be installed within the browser. The first time the console is accessed, the plugin can be downloaded. In Internet Explorer, https://rlesvlcoud.rit.edu must be added to the Local intranet zone.
(Go to Tools -> Internet Options -> Security tab -> Local intranet, click the Sites button, click Advanced and add the URL.)
The interface is available by navigating to https://rlesvcloud.rit.edu/cloud/org/NAT. (Yes, we know the certificate wasn’t issued by a commonly trusted certificate authority. Also check the user guide for your browser compatibility).
Use your RIT Computer Account credentials to gain access to the rlesvcloud interface.
To start, you will first create your vApp by following the instructions of Add a vApp Template to My Cloud in the RLES VCLOUND user guide. Make sure to follow the vApp name convention defined in the RLES VCLOUND user guide and select the vApp template, 841_Linux_Forensics, from the Public Catalogs. No network/IP address is needed for this lab.
Double click on the virtual machine to power it on, now you should have a Linux forensics machine with all the forensics’ tools to provide you with a highly interesting experience in forensics investigation. Login to the virtual machine with
Username: root
Password: netsys
Exercise 1:Using Autopsy and Sleuthkit
Require.
One of the requirements for mission critical systems is to provide reliable volume backup without impacting running system. The recommended way of cinder backup is to unmount volume before backup to avoid crash consistent backup. Unmounting is intrusive in nature and may not be feasible for mission critical systems.
This presentation focuses on strategy to achieve non-intrusive cinder backup. The presentation was given in Openstack summit at Sydney on 06 Nov 2017.
https://www.openstack.org/videos/sydney-2017/truly-non-intrusive-openstack-cinder-backup-for-mission-critical-systems
The Internet is flooded with questions related to slowed PC performance over a period of time. In this article we'll help you optimize the system and recover lost performance.
Oracle database performance diagnostics - before your beginHemant K Chitale
This is an article that I had written in 2011 for publication on OTN. It never did appear. So I am making it available here. It is not "slides" but is only 7 pages long. I hope you find it useful.
DevOps and Testing slides at DASA ConnectKari Kakkonen
My and Rik Marselis slides at 30.5.2024 DASA Connect conference. We discuss about what is testing, then what is agile testing and finally what is Testing in DevOps. Finally we had lovely workshop with the participants trying to find out different ways to think about quality and testing in different parts of the DevOps infinity loop.
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf91mobiles
91mobiles recently conducted a Smart TV Buyer Insights Survey in which we asked over 3,000 respondents about the TV they own, aspects they look at on a new TV, and their TV buying preferences.
Connector Corner: Automate dynamic content and events by pushing a buttonDianaGray10
Here is something new! In our next Connector Corner webinar, we will demonstrate how you can use a single workflow to:
Create a campaign using Mailchimp with merge tags/fields
Send an interactive Slack channel message (using buttons)
Have the message received by managers and peers along with a test email for review
But there’s more:
In a second workflow supporting the same use case, you’ll see:
Your campaign sent to target colleagues for approval
If the “Approve” button is clicked, a Jira/Zendesk ticket is created for the marketing design team
But—if the “Reject” button is pushed, colleagues will be alerted via Slack message
Join us to learn more about this new, human-in-the-loop capability, brought to you by Integration Service connectors.
And...
Speakers:
Akshay Agnihotri, Product Manager
Charlie Greenberg, Host
Key Trends Shaping the Future of Infrastructure.pdfCheryl Hung
Keynote at DIGIT West Expo, Glasgow on 29 May 2024.
Cheryl Hung, ochery.com
Sr Director, Infrastructure Ecosystem, Arm.
The key trends across hardware, cloud and open-source; exploring how these areas are likely to mature and develop over the short and long-term, and then considering how organisations can position themselves to adapt and thrive.
Accelerate your Kubernetes clusters with Varnish CachingThijs Feryn
A presentation about the usage and availability of Varnish on Kubernetes. This talk explores the capabilities of Varnish caching and shows how to use the Varnish Helm chart to deploy it to Kubernetes.
This presentation was delivered at K8SUG Singapore. See https://feryn.eu/presentations/accelerate-your-kubernetes-clusters-with-varnish-caching-k8sug-singapore-28-2024 for more details.
JMeter webinar - integration with InfluxDB and GrafanaRTTS
Watch this recorded webinar about real-time monitoring of application performance. See how to integrate Apache JMeter, the open-source leader in performance testing, with InfluxDB, the open-source time-series database, and Grafana, the open-source analytics and visualization application.
In this webinar, we will review the benefits of leveraging InfluxDB and Grafana when executing load tests and demonstrate how these tools are used to visualize performance metrics.
Length: 30 minutes
Session Overview
-------------------------------------------
During this webinar, we will cover the following topics while demonstrating the integrations of JMeter, InfluxDB and Grafana:
- What out-of-the-box solutions are available for real-time monitoring JMeter tests?
- What are the benefits of integrating InfluxDB and Grafana into the load testing stack?
- Which features are provided by Grafana?
- Demonstration of InfluxDB and Grafana using a practice web application
To view the webinar recording, go to:
https://www.rttsweb.com/jmeter-integration-webinar
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...UiPathCommunity
💥 Speed, accuracy, and scaling – discover the superpowers of GenAI in action with UiPath Document Understanding and Communications Mining™:
See how to accelerate model training and optimize model performance with active learning
Learn about the latest enhancements to out-of-the-box document processing – with little to no training required
Get an exclusive demo of the new family of UiPath LLMs – GenAI models specialized for processing different types of documents and messages
This is a hands-on session specifically designed for automation developers and AI enthusiasts seeking to enhance their knowledge in leveraging the latest intelligent document processing capabilities offered by UiPath.
Speakers:
👨🏫 Andras Palfi, Senior Product Manager, UiPath
👩🏫 Lenka Dulovicova, Product Program Manager, UiPath
Essentials of Automations: Optimizing FME Workflows with ParametersSafe Software
Are you looking to streamline your workflows and boost your projects’ efficiency? Do you find yourself searching for ways to add flexibility and control over your FME workflows? If so, you’re in the right place.
Join us for an insightful dive into the world of FME parameters, a critical element in optimizing workflow efficiency. This webinar marks the beginning of our three-part “Essentials of Automation” series. This first webinar is designed to equip you with the knowledge and skills to utilize parameters effectively: enhancing the flexibility, maintainability, and user control of your FME projects.
Here’s what you’ll gain:
- Essentials of FME Parameters: Understand the pivotal role of parameters, including Reader/Writer, Transformer, User, and FME Flow categories. Discover how they are the key to unlocking automation and optimization within your workflows.
- Practical Applications in FME Form: Delve into key user parameter types including choice, connections, and file URLs. Allow users to control how a workflow runs, making your workflows more reusable. Learn to import values and deliver the best user experience for your workflows while enhancing accuracy.
- Optimization Strategies in FME Flow: Explore the creation and strategic deployment of parameters in FME Flow, including the use of deployment and geometry parameters, to maximize workflow efficiency.
- Pro Tips for Success: Gain insights on parameterizing connections and leveraging new features like Conditional Visibility for clarity and simplicity.
We’ll wrap up with a glimpse into future webinars, followed by a Q&A session to address your specific questions surrounding this topic.
Don’t miss this opportunity to elevate your FME expertise and drive your projects to new heights of efficiency.
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualityInflectra
In this insightful webinar, Inflectra explores how artificial intelligence (AI) is transforming software development and testing. Discover how AI-powered tools are revolutionizing every stage of the software development lifecycle (SDLC), from design and prototyping to testing, deployment, and monitoring.
Learn about:
• The Future of Testing: How AI is shifting testing towards verification, analysis, and higher-level skills, while reducing repetitive tasks.
• Test Automation: How AI-powered test case generation, optimization, and self-healing tests are making testing more efficient and effective.
• Visual Testing: Explore the emerging capabilities of AI in visual testing and how it's set to revolutionize UI verification.
• Inflectra's AI Solutions: See demonstrations of Inflectra's cutting-edge AI tools like the ChatGPT plugin and Azure Open AI platform, designed to streamline your testing process.
Whether you're a developer, tester, or QA professional, this webinar will give you valuable insights into how AI is shaping the future of software delivery.
UiPath Test Automation using UiPath Test Suite series, part 4DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 4. In this session, we will cover Test Manager overview along with SAP heatmap.
The UiPath Test Manager overview with SAP heatmap webinar offers a concise yet comprehensive exploration of the role of a Test Manager within SAP environments, coupled with the utilization of heatmaps for effective testing strategies.
Participants will gain insights into the responsibilities, challenges, and best practices associated with test management in SAP projects. Additionally, the webinar delves into the significance of heatmaps as a visual aid for identifying testing priorities, areas of risk, and resource allocation within SAP landscapes. Through this session, attendees can expect to enhance their understanding of test management principles while learning practical approaches to optimize testing processes in SAP environments using heatmap visualization techniques
What will you get from this session?
1. Insights into SAP testing best practices
2. Heatmap utilization for testing
3. Optimization of testing processes
4. Demo
Topics covered:
Execution from the test manager
Orchestrator execution result
Defect reporting
SAP heatmap example with demo
Speaker:
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
UiPath Test Automation using UiPath Test Suite series, part 3DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 3. In this session, we will cover desktop automation along with UI automation.
Topics covered:
UI automation Introduction,
UI automation Sample
Desktop automation flow
Pradeep Chinnala, Senior Consultant Automation Developer @WonderBotz and UiPath MVP
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
1. Time Stamp Analysis of Windows Systems Randall Karstetter President, CTIN randall@dataforensicslab.com May 12, 2011 Seattle, Washington
2. Disclaimer and Directive DO NOT believe anything I say Take notes, go back and test everything yourself Keep a binder with all your testing notes and observations Let me know (and all the others in CTIN) if I’m wrong or you find something good Give a seminar!! (also CTIN requirement)
3. Time of an Event Critical to most computer investigations Basis of timeline analysis However, is not an area that is well investigated, written and published. In fact, what is written can be misleading and inaccurate. Which puts the impetus on the individual examiner to conduct their own testing for now.
4. Where Computer Time Starts Real Time Clock chip on the motherboard Must have battery to keep it running when power is off. Usually lithium rechargeable but newer systems have supercapacitors. Oscillator circuit keeps time like a digital watch and is fairly accurate, however it can fluctuate due to quality and environment. Not a time-critical device.
5. What Sets an RTC? Human. If the battery dies or if the BIOS is reset via jumper, a human must reset the BIOS time which resets the RTC. Any human who has access to the BIOS has access to the RTC. Since Windows 2000 Workstation, the operating system can reset BIOS time
6. What are BIOS Date Limits? Variable by BIOS manufacturer. AMI v02.54 2003 range is 1980-2099. Phoenix v05CE 2010 range is 1981-2099. Easy to test, just go into the BIOS and scroll up and down. If the battery dies or stops holding a charge, the date will default to January 1, <earliest year in range>. Note: CMOS batteries die regularly!
7. A Note About Computer Seizures Textbook is to go into BIOS and compare BIOS time to Real Wall Time. Does the BIOS time at seizure provide ANY correlation to computer activity times in the past?
8. What Date and Time is Kept by BIOS? Local Time as entered by the human in BIOS. On OS updateable BIOS’s, local time as calculated by the OS –OR—entered by the user in Control Panel or on Task Bar.
9. Do BIOS’s Correct For DST? They tried that once in the past. Didn’t work out well. OS’s couldn’t tell which BIOS’s were updating. BIOS’s couldn’t tell which OS’s were running. It ended up more often the time got changed twice! (Off by two hours) Now by convention, BIOS’s do not correct for DST. Win ME and older systems user had to manually update BIOS. And on hardware upgraded with newer OS’s.
10. What Happens at Boot-Up? Windows requests date and time from the BIOS. Windows converts the local time received to UTC based upon the TimeZone settings and whether Automatically Adjust for DST is enabled. Windows displays the calculated local time to the user on the task bar and at command line to >date, >time queries.
11. System Time Clock At boot Windows starts and maintains a System Time Clock which is independent of RTC. This is the infamous number of 100 nanosecond clock ticks per second since January 1, 1601 (but depending on hardware it can be 64 clock ticks per second). System clock is actually less accurate than RTC so periodically RTC is polled.
12. Win32Time Service Starting with Windows 2000, Win32Time service is designed to look for a local time server or remote internet time server (time.microsoft.com or time.nist.gov) and synch the System Time clock. Go see: http://msdn.microsoft.com/en-us/library/bb608215.aspx
13. Microsoft’s Time Statement Computers that synchronize their time less frequently, such as computers running Windows XP Home Edition, computers with intermittent network connections, or computers that are not joined to a domain, are configured by default to synchronize with time.windows.com. Because they do not synchronize their clock frequently and because the factors that affect time accuracy may not be known, it is impossible to guarantee time accuracy on computers that have intermittent or no network connections.
14. Is the computer synching with an NTP server? Go into System event log and filter on event numbers 35 and 37.
15. Synching Errors Microsoft mentioned that if the local time and time server are off by more than 15 hours, time synching may fail. I set date to 1/1/2099 and synch failed. I set to 16 hrs ahead and it failed the first time but synched on the second try. So somewhere around 15 hrs. As soon as time synchs, it updates BIOS clock.
16. Frequency of Synching On my Windows XP-64 SP3 test system, the default synch frequency was 7 days. So the BIOS clock could remain wrong for up to seven days. There may be conditions that trigger a synch event sooner, I don’t know.
17. Consequences of Wrong Date Windows Update fails. “Error Code: 80072F8F Windows Update encountered an unknown error.” Windows Defender update fails. Norton Update fails. McAfee Update fails. Is it any wonder ~30% of infected computers we see have a wrong BIOS time? ~70% are in future (dates range 1911-2050)
18. So, given the inaccuracies of the BIOS time, how can we verify if an event that is time critical to the case did occur at the time the computer says it did?
19. Confidence Testing Check event logs to see if W32Time synchronizations occurred both before and after the event. Look into log files. Sometimes antivirus definition updates will have the host sever time in the log file which can be compared to the file Last Modified time. Look at the File Create dates of Windows KB files in the root of indows and then check Microsoft’s site for date of release of the KB update. If the computer was turned on the day it was released, the File Create date will likely be the same day. At least the File Create date should not be BEFORE the release date.
20. More Things to Check See if emails were exchanged before and after the event. Email headers will have server dates in them. Correlate server dates with Received Dates displayed in the email program. Some cookies and HTML files will have embedded server time to compare to File Create times.
22. File Create Time “The time that the file was created.” Brian Carrier, File System Forensic Analysis “The time at which the file was…originally created.” Harlan Carvey, Windows Forensic Analysis 2009 “This value reflects when a particular file was created at that location.” Guidance Software, EnCEP Study Guide “Unix systems maintain…ctime as the time when certain file metadata, not its contents, were last changed. Windows systems are the only systems that use ctime to mean creation time.” www.forensicwiki.org/wiki/MAC_times “The file create date and time will depend on whether the file was copied or moved.” Microsoft, Technet
23. Fresh Install of Windows 7 on 5/4/2011 All file dates were sorted by Create Date and shown are the oldest Create Dates seen. Note MFT Record Date of 5/4/2011.
24. File Create Date Updates Reflect the start time a new file was being created in a folder. Is updated if a file is downloaded from the internet. Is updated if a file is extracted from a ZIP file. Is updated if copying a file to a new folder or copying a folder. Is updated if a file is moved to a folder using the command line “move” command. (Page 416, WFA 2ndEd, Harlan Carvey) Is changed to the original NTFS Modified Time when burned onto a CD using Nero 6.
25. Create Dates Not Updated When moving a file from one folder to another using Windows Explorer. When moving a folder with Windows Explorer. When extracted from a CAB file. When restored from a tape backup or similar special backup/restore program.
26. RK’s Definition of Create Time The time a file was first created in a folder. Or copied into the current folder using Windows Explorer, or copied with a folder, or moved into the current folder using the command line “move”. Or the time it was created somewhere else and moved into the current folder using Windows Explorer or extracted/restored using special software.
27. File Modified Time “Last Written: Indicates the last date and time that a file was actually opened, edited, then saved. If a file is merely opened then closed (but not altered), or opened, edited, and closed with no save, then this column will not update.” Guidance Software, Time/Date stamp issues “The last modified time is set when the value of any $DATA, $INDEX_ROOT, or $INDEX_ALLOCATION attributes are modified.” Brian Carrier, File System Forensic Analysis.
28. Modified Time Updates Creating a new file of course. Changing anything in the $DATA attribute and then saving the file. This could be resizing a JPG, changing margins in a Word doc, or highlighting a cell in Excel. This doesn’t have to be done by a user. It could be a program updating say a log file or a virus inserting and hiding code. Opening a file in an editing program and changing nothing but clicking on Save.
29. Modified Times Static When copying or moving files from one folder to another. When copying files from a CD onto a hard drive. When extracted/restored using special software. If opened in an editing program and closed without modifying or saving. Renaming the folder (which I thought would change $INDEX_ROOT. I couldn’t figure out how to change $INDEX.ROOT to update Modified Time).
30. RK’s Definition of Modified Time The last time a file was created, saved with modifications or saved without modifications either by a user or program.
31. Last Accessed Time “The time that the content of the file was last accessed.” Brian Carrier, File System Forensic Analysis “Displays the date of the last activity of the file. A file does not have to be altered for the last-accessed date to change—only accessed. Any activity (such as viewing, dragging or even right-mouse clicking) may change the Last Accessed date. The last-accessed date may also change if the file is accessed by a program, such as a virus checker.” EnCEP Study Guide
32. Last Accessed Updates Creating a new file. Copying or moving a file. Copying a folder containing a file. Highlighting a file in Windows Explorer either by left-clicking once on the file name or using Control-A to highlight all the files in the folder. Images in a folder turning Thumbnail view on. Scanned by an anti-virus/anti spyware program
33. Programs Altering Last Accessed Software Modified Last Accessed Time? Norton Anti-virus 2006 Yes e-Trust EZ anti-virus v 7.1.8.0 Yes F-prot anti-virus v3.16c Yes McAfee virus scan 2005 Yes Microsoft Windows Defender Beta 2 Yes Spybot SD v1.4 No PC-cillin 2005 No WinXP file searching tool Yes Taken from Table 1, page 4, The Rules of Time on NTFS File System, K. P. Chow, Frank Y. W. Law, Michael Y. K. Kwan, K. Y. Lai, Department of Computer Science, the University of Hong Kong.
34. Last Accessed Time Static In Windows Explorer, highlighting the folder in the left window without highlighting the file name in the right window. Moving a folder containing a file. Renaming the folder name.
35. Last Accessed Quirks Turned off by default on Windows Servers and Windows 7. CD’s do not have Last Accessed times FAT partitions will show a Last Accessed time of 12:00:00 AM on the date they were last accessed regardless of the actual time they were last accessed. Microsoft says there may be a delay of up to one hour from the actual time of Last Access until the $SYSTEM_INFORMATION attribute is updated.
36. RK’s Definition of Last Accessed The last time, sometimes available, of when a file was created, opened, copied or moved individually, highlighted either individually or in a batch, viewed as a thumbnail or scanned or updated by a program. In the case of a FAT volume, the last date only of when a file was thus accessed.
37. Entry (MFT) Modified Time “The time that the metadata of the file was last modified.” Brian Carrier, File System Forensic Analysis “Entry Modified refers to the file’s record entry and its information, such as the file size or file location. This is a file system modification and not a user modified value. This property is not normally used for eDiscovery.” EnCEP Study Guide
38. MFT Modified Updates When a new file is created. When any of the file attributes are changed (Read Only, Hidden, System, Archive). Renaming or moving individually in the same volume. Copying from another volume when a file with the same name exists anywhere on the destination volume Time moved or deleted from a volume. When an application opens a file but does not modify or save it (tested with Notepad. Note the difference with Last Modified)
39. MFT Modified Static File copied or moved between volumes on the same computer as long as a file with the same name is not anywhere on the destination. File within a folder copied or moved between volumes on the same computer.
40. RK’s Definition of MFT Modified The time a file was created on the computer regardless of volume, the last time a file attribute was updated, the last time a file with a similar name was copied onto a new volume or the last time the file was opened by an application.
41. Brett Shavers, CTIN Registry Forensics Seminar, August 14, 2008 “MFT record update entry time should match the MAC dates. If not, date manipulation could have occurred.”
42. File Copied from Server to C: when a file existed on Volume C: with the same file name The file Timestomp.txt was copied from a server onto local volume C: when a file by that same name existed in another folder on C: Date Created, Date Accessed were updated, Date Modified is as it was on the server, MFT Record Date remained the same as the Record Date of the existing file. And no, no manipulation took place.
43. THE DREADED TIMESTOMP “Timestomp changes all four MACE times!” “With anti-forensic tools such as Timestomp, how can any dates and times found on a suspect computer be deemed reliable!”
44. Has anyone had a case where a timestomping program was used or suspected of being used? Has anyone read of such a case?
46. Mistake # 1 Timestomp, stamp, filetouch and all such programs are designed to be used from a command prompt. Most computer users, and many young people who grew up with a mouse in their hands don’t know what a command prompt is. So how are they likely to download and use the program?
47. Program downloaded and clicked on from Desktop or Windows Explorer to launch. Link file created and persists after the program is deleted. BUSTED!
48. THE ACHILLES HEEL Yes, timestomping programs do change all four MACE times. But, they only change the $SYSTEM_INFORMATION attributes in the MFT, NOT the $FILE_NAME attributes.
49. USE FTK IMAGER Using FTK Imager, open the $MFT file in the root of the volume. Under View turn on Hex Value Interpreter Put cursor anywhere in the hex data displayed, right mouse click and search for the filename When found, count five rows down from the line that starts with “FILE0”. The first eight bytes are the $SYSTEM_INFO Create Date. Next eight are the File Modified. Next line down first eight bytes are the MFT Modified and to the right the next eight bytes are Last Accessed.
50. This is a Timestomped file. Note the Date Created, Last Accessed, Last Modified and MFT Record Date on the left.
51. This is the file with the eight bytes starting at offset x050 highlighted and showing the hex value decoded. This is the File Create time in the $SYSTEM_INFORMATION attribute. The eight bytes just to the right of this is the File Modified time, the eight bytes starting on the next line down is the MFT Modified Time and the eight bytes to the right of that is Last Accessed.
52. Going down to the line that starts at offset x0c0, this is the start of the $FILE_NAME attribute which is a copy of the $SYSTEM_INFORMATION attribute but doesn’t change and is not touched by any of the timestomping programs (at least yet). Highlight the first eight bytes and you’ll see the oriniginal File Create Time. Highlight the other byte strings to see the other times.BUSTED!
53. Now go do some testing and report back to me if you find I made any mistakes and if you find some juicy information. We need independent exploration, testing and presentations to help build a docu-mented reference for the undocumented space we work in. That’s what CTIN is all about and I’m grateful to Brett Shavers and all the others who have brought us here and keep us going. Lend your hand!