PaulDotCom mailing list archives

Forensic Timestamps Question

From: jake at nic.umass.edu (Jake Cunningham)
Date: Thu, 01 Oct 2009 08:42:00 -0400


That's an interesting one. I prefer to use the sleuthkit rather than
"ls" to analyze filetimes. Try installing sleuthkit and run the
following commands to get timestamp information.

For this example I'm making the assumption that your analysis system is
Linux, the disk you are analyzing is NTFS, it shows up as /dev/sdc1 on
your analysis station, and the native timezone of the files on the disk
is EST5EDT

# get the "inode" of the file
$ ls -i sdra64.exe
(for the sake of example, I made up a result of inode 4571362 used below)

# List the inode attibutes (as root) using sleuthkit "istat"
$ istat -f ntfs -z EST5EDT /dev/sdc1 4571362 | less


The results of this command should display (among other things) the
following attributes.
Created:
File Modified:
MFT Modified:
Accessed:

Post the results of the istat command and we'll see what that says for
timestamps.

-Jake


Ben Greenfield wrote:

I'm doing a forensic analysis of a Zeus/Zbot infection for a client.
I came across something kind of interesting that I didn't initially
notice, and I'm hoping that someone can confirm or blow away a thought
I just had.

Here is some backup information:
~/mountpoint/WINDOWS/system32$ ls -lt --full-time sdra64.exe
-rwxrwxrwx 1 root root 161280 2009-02-09 07:10:48.000000000 -0500 sdra64.exe

~/mountpoint/WINDOWS/system32$ ls -ltu --full-time sdra64.exe
-rwxrwxrwx 1 root root 161280 2009-09-02 07:26:08.000000000 -0400 sdra64.exe

For arguments sake lets assume that the timestamps are accurate and
that the malware isn't modifying its creation timestamp (which I
wonder about because of 2009-02-09 and 2009-09-02 having numbers
swapped).  If I'm not mistake the -0400 and -0500 refer to offset from
Greenwich Mean Time.  If that's the case, is it fair for me to assume
that -0500 indicates that the computer which created the malware was
configured with a different timezone than the one which was infected?

Thanks, I look forward to people with more experience than saying
smart stuff now :)
_______________________________________________
Pauldotcom mailing list
Pauldotcom at mail.pauldotcom.com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com


-- 
* - - - - * - - - - * - - - - * - - - - * - - - -* - - - - *
 Jake Cunningham
 Lead Information Security Analyst
 University of Massachusetts
 Amherst, MA
 (413) 577-0890

Current thread:

Forensic Timestamps Question Jake Cunningham (Oct 01)
- <Possible follow-ups>
- Re: Forensic Timestamps Question signupjar at gmail.com (Oct 01)
  - Forensic Timestamps Question Carlos Perez (Oct 01)