Re: Questions about PC clock operations

[Jim Mellander <jmellander () lbl gov>]

As Scott indicates, pointing your systems to one or more NTP servers is
the way to go.  NTP servers' get their time (either directly or
indirectly) from a stable source and use advanced algorithms to correct
for network latency and clock drift.  Our experience is that NTP will,
for the most part, keep system clocks within several milliseconds of
true time, depending on the quality of your network connection.

When I've had to do forensics on a system which is not synchronized via
NTP, I look for a network event that is both logged by our sensors
(which have correct time), and by the system itself.  The time
difference (strictly speaking only valid at that instant in time, and
typically with a 1 second resolution) allows determining of the true
time of logged events on the system (always, of course, subject to the
possibility of tampering, and minor clock skew).


Scott Ramsdell wrote:
> Ricci,
>
> In a corporate environment you would typically deploy a network time
> protocol server (NTP).  The NTP server either points to an external
> reference NTP server, or to its own BIOS clock if corporate policy
> prevents synching to an external time source.
>
> Then, all *nix computers and all appliances, firewalls, IDS, routers,
> etc. are pointed to the NTP server.  You would also specify the NTP
> server as the time source in the appropriate reg key on your Windows
> domain controllers.  Typically, the DC running the FSMO role for PDC
> Emulator is also the NTP server.
>
> When a Windows client logs in, it checks it's time against the DC, and
> adjusts accordingly.  You can find the exact way a Windows client
> adjusts itself on the Microsoft site, I know it's there somewhere as I
> had to do this years ago.  The formula depends on how far out of
> agreement the client is.
>
> It is very important that all of your devices agree what time something
> occurred on your network, and the NTP server is the way you do that.
>
> Best Regards,
> Scott Ramsdell



-- 
Jim Mellander
Incident Response Manager
Computer Protection Program
Lawrence Berkeley National Laboratory
(510) 486-7204

The reason you are having computer problems is:

Yeah, yo mama dresses you funny and you need a mouse to delete files.

---------------------------------------------------------------------------
This list is sponsored by: Norwich University

EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The NSA has designated Norwich University a center of Academic Excellence 
in Information Security. Our program offers unparalleled Infosec management 
education and the case study affords you unmatched consulting experience. 
Using interactive e-Learning technology, you can earn this esteemed degree, 
without disrupting your career or home life.

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------