Security Basics mailing list archives
Re: Questions about PC clock operations
From: Jim Mellander <jmellander () lbl gov>
Date: Wed, 30 Aug 2006 10:12:13 -0700
As Scott indicates, pointing your systems to one or more NTP servers is the way to go. NTP servers' get their time (either directly or indirectly) from a stable source and use advanced algorithms to correct for network latency and clock drift. Our experience is that NTP will, for the most part, keep system clocks within several milliseconds of true time, depending on the quality of your network connection. When I've had to do forensics on a system which is not synchronized via NTP, I look for a network event that is both logged by our sensors (which have correct time), and by the system itself. The time difference (strictly speaking only valid at that instant in time, and typically with a 1 second resolution) allows determining of the true time of logged events on the system (always, of course, subject to the possibility of tampering, and minor clock skew). Scott Ramsdell wrote:
Ricci, In a corporate environment you would typically deploy a network time protocol server (NTP). The NTP server either points to an external reference NTP server, or to its own BIOS clock if corporate policy prevents synching to an external time source. Then, all *nix computers and all appliances, firewalls, IDS, routers, etc. are pointed to the NTP server. You would also specify the NTP server as the time source in the appropriate reg key on your Windows domain controllers. Typically, the DC running the FSMO role for PDC Emulator is also the NTP server. When a Windows client logs in, it checks it's time against the DC, and adjusts accordingly. You can find the exact way a Windows client adjusts itself on the Microsoft site, I know it's there somewhere as I had to do this years ago. The formula depends on how far out of agreement the client is. It is very important that all of your devices agree what time something occurred on your network, and the NTP server is the way you do that. Best Regards, Scott Ramsdell
-- Jim Mellander Incident Response Manager Computer Protection Program Lawrence Berkeley National Laboratory (510) 486-7204 The reason you are having computer problems is: Yeah, yo mama dresses you funny and you need a mouse to delete files. --------------------------------------------------------------------------- This list is sponsored by: Norwich University EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE The NSA has designated Norwich University a center of Academic Excellence in Information Security. Our program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Using interactive e-Learning technology, you can earn this esteemed degree, without disrupting your career or home life. http://www.msia.norwich.edu/secfocus ---------------------------------------------------------------------------
Current thread:
- Questions about PC clock operations ricci (Aug 29)
- RE: Questions about PC clock operations Robert D. Holtz - Lists (Aug 30)
- Re: Questions about PC clock operations tony barry (Aug 30)
- <Possible follow-ups>
- RE: Questions about PC clock operations Scott Ramsdell (Aug 30)
- Re: Questions about PC clock operations Jim Mellander (Aug 31)
- RE: Questions about PC clock operations Dave Lapsley (Aug 31)