PaulDotCom mailing list archives
How much do timestamps matter?
From: joel.folkerts at gmail.com (Joel Folkerts)
Date: Thu, 13 Aug 2009 15:48:03 -0500
SANS recently posted an article discussing timeline creation and analysis - https://blogs.sans.org/computer-forensics/2009/08/13/artifact-timeline-creation-and-analysis-tool-release-log2timeline/ -Joel "The path to hell is paved with good intentions." On Wed, Aug 12, 2009 at 12:45 PM, Nicholas B. <nberthaume at gmail.com> wrote:
While it can create an issue when a user is able to modify timestamps those that they can't change for last access time can prove useful. These stamps can yield information on probs of files not actively looked at by others for evidence of probing for vulnerable configuration settings by a malicious user where they are unable to make modifucations to those files, but have read access to them. This only works on filesystems that record that stamp and didn't shortsitedly disable it (ie Vista) for performance reasons and where automatic processes (indexing, virus scans, etc.) haven't run on them since the incident in question occurred. On 8/12/09, David Kovar <dkovar at gmail.com> wrote:Greetings, Timestamps are one clue to a subject's activity but are rarely the smoking gun, for many reasons. They can be intentionally modified, various automated processes can update them, the system's clock may be off (intentionally or accidentally), various actions may not preserve them, .... Used in conjunction with other information, file system or metadata timestamps can be very useful. If the physical security log at the front desk shows the subject entering the building 15 minutes before they log on to the domain server and then the prefetch shows Limewire running right after that, leading to files being created shortly after that .... -David On Wed, Aug 12, 2009 at 3:14 AM, Jim Halfpenny<jim.halfpenny at gmail.com> wrote:Timestamps may matter a lot if you refute your role in download such niche bedtime reading. The old, "A virus must have downloaded it," might have less credibillity if timestamps show the files to have been created over a considerable period of time. Remember that evidence in isolation may seem meaningless. If for example you have coroborating evidence from browser history, logs or ISP records timestamps might provide strong evidence. Jim On 12/08/2009, Grymoire <pauldotcom at grymoire.com> wrote:As the subject states, how much do file time stamp matter to aforensicscase? If some one finds my collection of "Nazi albino midget Eskimo" porn, does it really mater what the date is?I'm not a forensic expert, but as I understand it, Timestamps help paint an accurate recreation of events. An expert describes a series of events, such as entries in the log file, access times, modifications times, etc, registry entries, etc. Some experts say that you can usually re-create an event even if someone tries to hide their traces (i,e, modify timestamps). I think a lot depends on the OS and logging capability. And if the log is stored on a centralized log server, hiding traces are more difficult. _______________________________________________ Pauldotcom mailing list Pauldotcom at mail.pauldotcom.com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com-- Sent from my mobile device _______________________________________________ Pauldotcom mailing list Pauldotcom at mail.pauldotcom.com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com_______________________________________________ Pauldotcom mailing list Pauldotcom at mail.pauldotcom.com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com-- Sent from my mobile device _______________________________________________ Pauldotcom mailing list Pauldotcom at mail.pauldotcom.com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
-------------- next part -------------- An HTML attachment was scrubbed... URL: http://mail.pauldotcom.com/pipermail/pauldotcom/attachments/20090813/2a3d7705/attachment.htm
Current thread:
- How much do timestamps matter? Grymoire (Aug 11)
- How much do timestamps matter? Dimitrios Kapsalis (Aug 11)
- How much do timestamps matter? Jim Halfpenny (Aug 12)
- How much do timestamps matter? David Kovar (Aug 12)
- How much do timestamps matter? Nicholas B. (Aug 12)
- How much do timestamps matter? Joel Folkerts (Aug 13)
- How much do timestamps matter? Ken Pryor (Aug 13)
- How much do timestamps matter? Adrian Crenshaw (Aug 14)
- How much do timestamps matter? Chris Merkel (Aug 14)
- How much do timestamps matter? David Kovar (Aug 12)