Whose time is it anyway?

Video thumbnail (Frame 0) Video thumbnail (Frame 447) Video thumbnail (Frame 1021) Video thumbnail (Frame 1470) Video thumbnail (Frame 1966) Video thumbnail (Frame 2515) Video thumbnail (Frame 2975) Video thumbnail (Frame 5678) Video thumbnail (Frame 6725) Video thumbnail (Frame 7489) Video thumbnail (Frame 8040) Video thumbnail (Frame 8681) Video thumbnail (Frame 9301) Video thumbnail (Frame 9743) Video thumbnail (Frame 10603) Video thumbnail (Frame 12031) Video thumbnail (Frame 12867) Video thumbnail (Frame 13541) Video thumbnail (Frame 13903) Video thumbnail (Frame 14930) Video thumbnail (Frame 16116) Video thumbnail (Frame 16465) Video thumbnail (Frame 16854) Video thumbnail (Frame 17414) Video thumbnail (Frame 18562) Video thumbnail (Frame 19400) Video thumbnail (Frame 19822) Video thumbnail (Frame 20633) Video thumbnail (Frame 21478) Video thumbnail (Frame 22545) Video thumbnail (Frame 25422)
Video in TIB AV-Portal: Whose time is it anyway?

Formal Metadata

Title
Whose time is it anyway?
Alternative Title
What Time Are You Anyway?
Title of Series
Author
License
CC Attribution 3.0 Unported:
You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor.
Identifiers
Publisher
Release Date
2013
Language
English

Content Metadata

Subject Area
Abstract
Michael Robinson - What Time Are You Anyway? https://www.defcon.org/images/defcon-19/dc-19-presentations/Robinson/DEFCON-19-Robinson-Time.pdf Computer forensic examiners rely heavily on timestamps during investigations. Timeline analysis is a critical technique in determining what happened and when. In 2005, timestomp.exe was released and this gave non-observant investigators a run for their money. Unfortunately, there are some gaps in what timestomp.exe will do. Observant investigators can identify timestomping and recover from that activity. Good timestomping requires knowing what time values need to get trashed, where these times are stored, AND what supporting artifacts need to be altered. This presentation examines several file systems and operating systems and identifies what needs to be tweaked in order to effectively hide one's tracks. Michael Robinson has over 15 years of computer security experience and is currently a computer forensic examiner in the Washington, DC area, where he deals with e-discovery and intrusion analysis. For over four years he ran IT and IA operations for a Department of Defense agency. He teaches computer forensics at the graduate level at Stevenson University in Maryland. He earned two masters degrees - one in computer forensics and one in information security.

Related Material

Video is accompanying material for the following resource
Presentation of a group Multiplication sign
Degree (graph theory) Context awareness Event horizon Multiplication sign Order (biology) Mathematical analysis Dreizehn Event horizon Neuroinformatik Timestamp
Greatest element Touchscreen Computer file Multiplication sign Event horizon Computer Number Revision control Event horizon Computer data logging Operating system Energy level Right angle Energy level Physical system Window Physical system Row (database) Windows Vista
Multiplication sign File system Mereology Timestamp
Revision control Attribute grammar Timestamp Attribute grammar
Standard deviation Reading (process) Slide rule Context awareness Computer file Multiplication sign Virtual machine 1 (number) Set (mathematics) Attribute grammar Number Timestamp Mathematics Latent heat Object-oriented programming Synchronization Cuboid Information Physical system Standard deviation Matching (graph theory) Information Counting Timestamp File Transfer Protocol Process (computing) Hexagon System programming Right angle Text editor Fingerprint Window Row (database)
Area Sign (mathematics) Sign (mathematics) Multiplication sign Moment (mathematics)
Touchscreen Consistency Twin prime Personal digital assistant Motion capture Timestamp 2 (number) Timestamp
Presentation of a group Touchscreen Hexagon Software Right angle Text editor Bit Text editor
Personal digital assistant Timestamp
Friction Mathematics Hexagon Personal digital assistant Multiplication sign Software Energy level Text editor Window Timestamp
Trail Standard deviation Context awareness Matching (graph theory) Touchscreen Trail Computer file Inheritance (object-oriented programming) Multiplication sign Computer file 1 (number) Hidden Markov model Mereology Timestamp Windows Registry Timestamp Window Physical system
Presentation of a group Hexagon Matching (graph theory) Computer file Multiplication sign Text editor Timestamp Windows Registry Window Physical system Timestamp
Windows Registry Trail Keyboard shortcut Execution unit Trail Continuous track Computer file Charge carrier Multiplication sign Computer file Cartesian coordinate system Timestamp
Windows Registry Boss Corporation Standard deviation Regulärer Ausdruck <Textverarbeitung> Satellite Computer file Information Multiplication sign Keyboard shortcut Perturbation theory Menu (computing) Data storage device Group action Timestamp Windows Registry Timestamp Directed set Utility software Right angle Office suite Window Session Initiation Protocol Physical system Chi-squared distribution
Windows Registry Adobe Acrobat Spreadsheet Computer file Data storage device
Spreadsheet Computer file Lie group Multiplication sign Text editor Right angle Office suite Timestamp Timestamp
Source code Touchscreen Computer file Weight Multiplication sign Attribute grammar Bit Timestamp Attribute grammar 2 (number) Timestamp Degree (graph theory) Malware Hexagon Roundness (object) Personal digital assistant Text editor Right angle Window Physical system
Email Email Computer file Code Software developer Multiplication sign Virtual machine Electronic signature Number Malware Sheaf (mathematics) Compilation album Cuboid
Existential quantification Multiplication sign Flash memory Virtual machine Set (mathematics) Directory service Number 2 (number) Timestamp Root Hypermedia Different (Kate Ryan album) File system Office suite God Flux Default (computer science) Data storage device Bit Directory service Timestamp Single-precision floating-point format Uniform resource locator Root Process (computing) Hypermedia Password
Presentation of a group Existential quantification Computer file Multiplication sign 1 (number) Coma Berenices Ext functor Neuroinformatik Timestamp Optical disc drive Object-oriented programming Network topology Energy level Maize Address space Thumbnail Fingerprint Scripting language Email Key (cryptography) Moment (mathematics) Expert system Instance (computer science) Line (geometry) Timestamp Mathematics Data mining Hexagon Process (computing) Network topology Text editor Right angle Volume
welcome to this presentation on time stopping which is going to be dubbed whose time is it anyway for those of us
who are visiting from across the pond please allow me to translate this is the
presentation on time stopping called whose time is it anyway it doesn't make the presentation any better to speak like this it just makes you want to
drink warm amounts of beer and do funny things to Kate Middleton so let's talk
about time stopping for a few minutes time stopping is a critical thing for
forensic analysts because forensic analysts love building timelines it's great they can figure out what happened on the computer and they can reconstruct the events with a certain degree of accuracy and that's nice and in order to
hide that some unscrupulous people as they could be called used to change the certain time values now it go and they change the clock on the system but doing that has a certain amount of problems first you need to have access to the system clock or you have to have rights and the second thing is newer versions
of the operating systems are now recording these events in the system log files so Windows 7 and Windows Vista now record event ID number one at level four to show the times change and you'll notice at the bottom of the screen there it has old time in New time so that's not really the best way that we're going to hide our activities are fun things so
what happened in 2005 there was a wonderful demonstration and exhibit of time stamp that exe and that was since pulled into metasploit and that was great people loved it and now there's a
GUI available you can download from sourceforge where you can change the for time stamps that are part of NTFS or three time stamps that are used in fat file systems there are a number of other
tools that are also about out there free for download under trial versions such
as attribute magic they go through and they change timestamps as well a little problem with attribute magic though it only changes three of the four and TFS timestamps it doesn't do the mft timestamp which is interesting so all
these wonderful tools are out there to go time stall and it's fairly efficient and if you're not paying attention or if you're an unscrupulous or you know a poor sap of you well you're going to miss what happened but here's the rub they don't work real well they don't do a good job all right and the other thing is they usually only hit one file at a time now if you could if you think back five or six slides what did I say forensic analyst like to do they like to reconstruct a timeline and when they build their timelines they are built in context they don't look at individual files they look at what's happening on an entire machine all right for example there aren't four times times on ntfs systems there are eight timestamps on ntfs systems right there are four timestamps under the standard information attribute which will take a look at in just a second it's identified by hex number ten all right those are the ones that are picked up by forensic tools and those are the ones that time stomp hits and magic attribute hits there's another set of timestamps under attribute number 30 under file name and those for match exactly what's in standard information the problem is when you stamp something or timestamp something it doesn't modify these as well so oops there's a seam in the story here now what's supposed to happen when a windows-based system is you modify files and standard information and when you make another change all of those records those four data values are supposed to swing over and change the file name attributes that's if you've modified the system correctly and sometimes when you use time stamping tools you're not going through the windows api so therefore windows doesn't always update so therefore we have things that aren't in sync let's take a look have a hex editor here opened up in
front of you you'll see a nice blue box right up here attribute ID number 10 attribute ID number 30 count specific number of bytes later and you'll see four timestamps right you'll see created which is the first one what's after created we have less modified we have mft entry and then the last one is last accessed don't forget on windows 7 based systems and on vista the last access timestamp is no longer forcibly updated it is only updated when the file is modified created all right but we have these and these four timestamps here match this is great this is the way it's supposed to work but if an examine or see something
that looks kind of funny they're going to start digging their tenacious that way and when they see obvious signs of time stomping they start sniffing around take a look at this time stopping that
showed up right here anyone here see a problem with the time stomping that was done I mean oh yeah there are no dates that could be a problem all right in the moment that starts happening do you have an examiner starting to sniff free curiously in that area all right but
what about things that aren't zombies let's take a look this is a screen
capture from in case it grabbed for time stamps for this unknown exe you'll see it created and accessed alas written in an entry modified and you'll notice that the entry modified is off not by a lot but by a few minutes in a few seconds if I take a look at that those values
directly in the mft with a hex editor I get the eight stamps that are shown on your screen right now you'll notice they both have their created dates they both have to last access the last modified and the mft entry and the one that's pictured in gold right is the one that was off so as an examiner so am I go ahead and say well wait second that's off let me look a little closer and when you look a little closer what do you
notice about the leftmost bits they're not off by a little they're off by a lot so I hate to do this to you I'm going to back up in the presentation what do you
notice here the creation date the last accessed eighth and last written date are they all the same they look the same to me the problem is end case only goes down to the second timestamps well well
they go down to the nanosecond so there
are changes here so clearly there's evidence of time stopping that's been done here and through the windows api windows explorer end case ftk you wouldn't notice it you'd actually have to go down and look at it the hex level right now some really good time stomping
has been done recently where people wind up grabbing the date
of the windows install files and they apply them and they copy them the problem is it's pretty easy to identify what files are part of the standard Windows installation which ones aren't this situation that you see on the screen too good to be true unknown Exe the file creation date the last written date and last modified date match exactly what happened on this Windows installation hmm funny that last access dates you know the only one that's awful
so we got to remember that files will not analyzed for timestamps they are done in context all right which means if we're going to be running executables on someone system while they're going to start leaving a trail time stomping doesn't fix the trail all right we have problems with things like the mru and we have problems with the windows prefetch all right right so let's talk about the windows prefetch for just a second every time you launch an executable on a windows based system starting with XP or vista or seven you have the windows prefetch or super boost or super prefetch and that's great but all of a sudden we notice that there's an extra file there that file is going to have eight timestamps as well right so if we're going to run an executable on the system and we don't want someone to know about it not only do we have to timestamp the executable itself and fix those eight timestamps we gotta go timestamp the prefetch inside the
prefetch at offset hex 78 there is an embedded timestamp as well timestamp doesn't fix that so if I'm going to go check or an examiner is going to go check or you're going to go check to find out whether or not an executable has been run on a system crack open a prefetch file with a hex editor go down the offset 78 and take a look at the time/date stamp does that match the same time date stamp that shows up for the file itself probably not all right so a
wise person told me when they were reviewing the presentation I believe his comment was quote screw that i'm just going to delete the prefetch file completely so you have an option if you're going to run an executable you can either delete the prefetch or you can go time stamping nengo worry about the stuff inside it right the windows registry that wonderful collection of files and mmm anyway there are embedded timestamps in
there as well so most recently opened files hey they're all sitting in the Windows registry so if you've opened a file if you decide to snoop on someone and you didn't mean to where you want it to and you're trying to cover your tracks don't forget you got to worry about what's inside the registry not
fixed by time stop alright the windows registry also records whether or not applications were run and sometimes there are timestamps there as well also not fixed by time Stan all right now a
lot of the registry entries are stored in rot13 which obscures what happens which means reading them as a problem data files now they have time stamps as well all right so we've got a problem we've been running into a system or taking a look at it we pulled out our utility times down when we broke out metasploit where time stopping all over the place and well now we got to worry about what's inside the file so what happens when we create or open a file well there aren't for time stamps there
aren't eight time stamps there are 33 time stamps holy Hannah that's a lot to go face so whenever we open a create a file on a windows based system the file itself is going to have eight stamps right foreign standard information for and filename the short get that get the shortcut that gets caught in the my recent documents well that's going to have eight timestamps if it's an office file you decide to snoop and go open something that belonged to your boss your coworker your friend your spouse your neighbor your pets whatever if that's an office file that's going to have a time stamps oh yeah then there's going to be registry entries and yeah don't forget about the prefetch that's going to have nine timestamps so now we have to worry about 33 timestamps Wow
adobe acrobat oh yeah that stores its most recent documents and files that are opened inside the registry as well so you'll have to fix what's happening with the registry being read all right so let's take a
quick look at something we have an Excel
spreadsheet it was created one July thirty-first 2011 at about 8 52 in the evening working late working on spreadsheet accounting files I time stompy because I don't want someone that always looking at it once the last time
you opened up an office file using an XML editor oops hey wait saying look at that right there create it 2011 7 30 does that timestamp match the one that's in the mft no probably not so great now I gotta go fix something else alright
and this is something we talked about previously there's a certain degree of granularity right timestamps on Windows based systems are stored in 64-bit values right those 64 bit values cover time that's elapsed since January 160 no one and 100 nano second increments timestamp exe magic attribute and other tools that you can download from the net only go down to the nearest second well if they only go down to the near a second and I break open the hex editor I'm going to notice that someone did time stopping so what would be better than actually time stopping it it would be copying the value the whole 64-bit value from another file take a look at
the file right here right what do you notice about the stuff that's highlighted in red do they all match like they're supposed to now what happened to the leftmost bits yeah they're off someone times come you wouldn't notice this looking at it through a forensic tool you'd only notice it through a hex editor you can compare it the values that you see here on the screen for the created stamp round it to the nearest second don't forget we're going to be reading from right to left right what about malware
that shows up on a machine but you know those unscrupulous malware developers pushing out their code trying to steal your data how dare they and they drop an executable on your box so what happens if you crack that open well here's this
same unknown dot exe that I showed you earlier and you'll notice that the signature at the top has that trustee 45a the MZ and I can move over to the start of the PE header points all the way down the EO and I can jump all the way down the EO and then I get my file signature for my PE header and then I move over a certain number of bytes and hey look there's another time stamp the date the exe was compiled embed it right there any executable now that's not the date that it was run however what
happens if the compiled date is later than the time stamp date something's going to be out and someone's going to start looking that's great and then there's the issue of external media god we have a bunch of wonderful people in my office they always secure their machine with their name under password whenever they get up and they walk away and I worked for a place you know a few jobs back where they never did that so you know it's amazing what people would run around do and take flash drives and put them everywhere but what about the time stamping on external media flash
drives you know by default use fat32 because they're compatible and they can move across different file systems well they don't store time in the same way that ntfs does here there's a certain number of bits in the root directory only stored in one location not to where it breaks down time you'll notice that the first set of bits only handle stuff in 10 millisecond increments we don't have to worry about 90 seconds will notice that the next two bytes handle on what creation time down to the hour minute second then we have a creation date and we have a last access date most get two bites will go all the way up to the last modified time so we can time stomp that with any of our tools but is
it worth it if I take a file and I run over to someone's computer plug my thumb drive in and I copy the file over directly from mine to theirs what happens with the time stands well the moment I copy the file over that new instance of the file whether I've copied it or moved it is going to give me a new creation date to date and on which I copied the file the last access date will be the date i copied the file over the mft entry will be the last you know the date i moved to file over but what happens with the last modified timestamp oops now don't forget some people might sit there and say well yeah it's not really worth it no one's going to really know hey the last modified timestamp is kind of like a fingerprint remember it goes all the way down to the 100 nanosecond level and what are the odds of two files having the exact same last modified date pretty thin right so you'll want to stomp that too right so what's the bottom line to all this it's damn near impossible to timestamp things effectively what the tools are out there it just doesn't work all right and since it doesn't work you know if you if someone is going to do something that they shouldn't not that I would ever advocate that the idea is to time stop enough to get rid of enough data to get rid of the prefetch to hide enough keys so someone doesn't go looking at things with a hex editor because you know it's a trade-off the forensic examiner that's work for them that's extra effort they're not going to go down that path unless they have a reason to do that if you want a copy of this presentation send me an email to that address give me the presentation and gmail com I have lots of time left for questions any questions from you
no that's it yeah HFS plus you know I'm not the greatest Mac expert and I'll be the first to admit it so how's this work on Mac most of it is stored in I notes through that right time stamps I know it's trees people look in there Tony yeah it doesn't get easier because it's not stored in the same spot it stores it in different I notes things that he wants to know how well this same process works on EXT the question before was how well does it work on hfs+ and the idea is not as well and it's pretty hard to go in to manually manipulate the inode files they go to exact set we've never the tools that are out there to go analyzed the question was how well can someone efficiently analyze timestamps to see if something's been around it to the second or not there are some n scripts out there to go out and compared the timestamps that will go down and check to determine whether or not something has been modified so there you have thanks very much have a great time Jory calm
Feedback