Bruce Nikkel timelines.pdf

Timelines are used for:

• digital archaelogy
• reconstruction past events
• Used to answer questions of: Who, What, Where, When, How
• to understand what happend exactly

We have a lot of differnt timestamps, this is very useful

• but accuracy is not always perfect

What can be done against this

• correlation with multiple other sources helps

YYYY-MM-DD

MACB

• Modify - last ime contents of a file where modified
• Access - last time contents of a file were accessed
• Change - last time attributes (inode or mft) were changed
• Birth - time the file was originally created

[MFT = managed file transfer]

• Not all filesystems have a creation timestamp (not POSIX standard)
• Some filesystems have additional timestamps (HFS has a Backup timestamp)
• OS's can disable last accessed timestamps (Linux mount option, Windows registry key)

Sleuthkit's mactime tool

• creates a text based timeline, one line per timestamp
• takes "time machine" format as input

[bonus some commands]

Other Sluthkit commands generate "time machine" output:

• fls -m partition1 /dev/sda1
• fls -m partition2 /dev/sda2
• fls -m disk2 /dev/sdb1
• ils -m /dev/sda1

Piping into mactime creates timeline file for analysis:

• flag -d makes CSV output
• fls -r -m partition1 /dev/sda1 | mactime -d
• fls -r -m partition1 -o 2048 image.dd | mactime -d
• cat fls1.out fls2.out fls3.out | mactime -d

fls output from multiple filesystems can be in one singel timeline.

• clock drift, skew -> timestamps can be inacurate
• OS delays (non-realtime), 
• granularity -> which file came before which, may not be clear.
• which timezone is the timestamp from -> problem in global investigations over multiple timezones
• summer/winter times (regions switch at differnt times)
• malicious changing of timestamps (anti-forensics, timestomp)

Sleuthkit has flags that can be used to adjust the time or the time zone.

There is always a possiblity of errors and anti-forensic activity.