PaulDotCom mailing list archives
Forensic Timestamps Question
From: bcg at struxural.com (Ben Greenfield)
Date: Wed, 30 Sep 2009 16:45:28 -0400
I'm doing a forensic analysis of a Zeus/Zbot infection for a client. I came across something kind of interesting that I didn't initially notice, and I'm hoping that someone can confirm or blow away a thought I just had. Here is some backup information: ~/mountpoint/WINDOWS/system32$ ls -lt --full-time sdra64.exe -rwxrwxrwx 1 root root 161280 2009-02-09 07:10:48.000000000 -0500 sdra64.exe ~/mountpoint/WINDOWS/system32$ ls -ltu --full-time sdra64.exe -rwxrwxrwx 1 root root 161280 2009-09-02 07:26:08.000000000 -0400 sdra64.exe For arguments sake lets assume that the timestamps are accurate and that the malware isn't modifying its creation timestamp (which I wonder about because of 2009-02-09 and 2009-09-02 having numbers swapped). If I'm not mistake the -0400 and -0500 refer to offset from Greenwich Mean Time. If that's the case, is it fair for me to assume that -0500 indicates that the computer which created the malware was configured with a different timezone than the one which was infected? Thanks, I look forward to people with more experience than saying smart stuff now :)
Current thread:
- Forensic Timestamps Question Ben Greenfield (Sep 30)
- Forensic Timestamps Question Ben Greenfield (Sep 30)