Bruce Nikkel timelines.pdf
Bruce Nikkel timelines.pdf
Bruce Nikkel timelines.pdf
Fichier Détails
Cartes-fiches | 11 |
---|---|
Langue | English |
Catégorie | Informatique |
Niveau | Université |
Crée / Actualisé | 20.06.2019 / 01.07.2020 |
Attribution de licence | Non précisé |
Lien de web |
https://card2brain.ch/box/20190620_bruce_nikkel_timelines_pdf
|
Intégrer |
<iframe src="https://card2brain.ch/box/20190620_bruce_nikkel_timelines_pdf/embed" width="780" height="150" scrolling="no" frameborder="0"></iframe>
|
Why are timelines important in digital forensics and why are timelines used?
Timelines are used for:
- digital archaelogy
- reconstruction past events
- Used to answer questions of: Who, What, Where, When, How
- to understand what happend exactly
what can be is the problem with time stamps and what can be done against the problem?
We have a lot of differnt timestamps, this is very useful
- but accuracy is not always perfect
What can be done against this
- correlation with multiple other sources helps
What are the typical timestamps on a filesystem?
MACB
- Modify - last ime contents of a file where modified
- Access - last time contents of a file were accessed
- Change - last time attributes (inode or mft) were changed
- Birth - time the file was originally created
[MFT = managed file transfer]
What variations in time stamps can there be depending on the OS?
- Not all filesystems have a creation timestamp (not POSIX standard)
- Some filesystems have additional timestamps (HFS has a Backup timestamp)
- OS's can disable last accessed timestamps (Linux mount option, Windows registry key)
How can you build a timeline of a filesystem?
Sleuthkit's mactime tool
- creates a text based timeline, one line per timestamp
- takes "time machine" format as input
[bonus some commands]
Other Sluthkit commands generate "time machine" output:
- fls -m partition1 /dev/sda1
- fls -m partition2 /dev/sda2
- fls -m disk2 /dev/sdb1
- ils -m /dev/sda1
Piping into mactime creates timeline file for analysis:
- flag -d makes CSV output
- fls -r -m partition1 /dev/sda1 | mactime -d
- fls -r -m partition1 -o 2048 image.dd | mactime -d
- cat fls1.out fls2.out fls3.out | mactime -d
fls output from multiple filesystems can be in one singel timeline.
What are some of the chalanges when dealing with timestamps?
- clock drift, skew -> timestamps can be inacurate
- OS delays (non-realtime),
- granularity -> which file came before which, may not be clear.
- which timezone is the timestamp from -> problem in global investigations over multiple timezones
- summer/winter times (regions switch at differnt times)
- malicious changing of timestamps (anti-forensics, timestomp)
Sleuthkit has flags that can be used to adjust the time or the time zone.
Why should you never completely trust a timestamp?
There is always a possiblity of errors and anti-forensic activity.