Flashcards

Flashcards 11 Flashcards
Students 0 Students
Sprache English
Level University
Created / Updated 20.06.2019 / 20.06.2019
Licencing Not defined
Weblink
Embed
0 Exact answers 11 Text answers 0 Multiple-choice answers
Close window

Why are timelines important in digital forensics and why are timelines used?

Timelines are used for:

  • digital archaelogy
  • reconstruction past events
  • Used to answer questions of: Who, What, Where, When, How
  • to understand what happend exactly
Close window

what can be is the problem with time stamps and what can be done against the problem?

We have a lot of differnt timestamps, this is very useful

  • but accuracy is not always perfect

What can be done against this

  • correlation with multiple other sources helps
Close window

What is the "correct" way to write numeric dates?

Licencing: Not defined

YYYY-MM-DD

Close window

What are the typical timestamps on a filesystem?

MACB

  • Modify - last ime contents of a file where modified
  • Access - last time contents of a file were accessed
  • Change - last time attributes (inode or mft) were changed
  • Birth - time the file was originally created

[MFT = managed file transfer]

 

Close window

What variations in time stamps can there be depending on the OS?

  • Not all filesystems have a creation timestamp (not POSIX standard)
  • Some filesystems have additional timestamps (HFS has a Backup timestamp)
  • OS's can disable last accessed timestamps (Linux mount option, Windows registry key)
Close window

How  can you build a timeline of a filesystem?

Sleuthkit's mactime tool

  • creates a text based timeline, one line per timestamp
  • takes "time machine" format as input

[bonus some commands]

Other Sluthkit commands generate "time machine" output:

  • fls -m partition1 /dev/sda1
  • fls -m partition2 /dev/sda2
  • fls -m disk2 /dev/sdb1
  • ils -m /dev/sda1

Piping into mactime creates timeline file for analysis:

  • flag -d makes CSV output
  • fls -r -m partition1 /dev/sda1 | mactime -d
  • fls -r -m partition1 -o 2048 image.dd | mactime -d
  • cat fls1.out fls2.out fls3.out | mactime -d

fls output from multiple filesystems can be in one singel timeline.

Close window

What are some of the chalanges when dealing with timestamps?

  • clock drift, skew -> timestamps can be inacurate
  • OS delays (non-realtime), 
  • granularity -> which file came before which, may not be clear.
  • which timezone is the timestamp from -> problem in global investigations over multiple timezones
  • summer/winter times (regions switch at differnt times)
  • malicious changing of timestamps (anti-forensics, timestomp)

 

Sleuthkit has flags that can be used to adjust the time or the time zone.

 

Close window

Why should you never completely trust a timestamp?

There is always a possiblity of errors and anti-forensic activity.