1 / 9

Module 2 Timelines and Such

Module 2 Timelines and Such. Highline Community College Seattle University University of Washington in conjunction with the National Science Foundation. MACTimes. Who, what, when, where and how? When may be more important than what atime, mtime, ctime, dtime, last

oria
Download Presentation

Module 2 Timelines and Such

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Module 2 Timelines and Such Highline Community College Seattle University University of Washington in conjunction with the National Science Foundation

  2. MACTimes • Who, what, when, where and how? • When may be more important than what • atime, mtime, ctime, dtime, last • ChangeTime, CreationTime, LastAccessTime, LastWriteTime • Historical times may not be available except on backups, journaling file systems, etc.

  3. Viewing items • ls –l • TCT’s mactime tool • Uses lstat() system call • Windows has third party tools • Explorer, write mouse click and use all tabs

  4. Issues with MACTimes • GUI based tools can change the atime • Importance of using a forensic tool on an image that cannot be altered • Opening a directory can change the access time, be sure to use lstat() • Hashes must be done after an lstat()

  5. Issues with MACTimes (cont’d) • Do not show history • MACTimes degrade with time • OOV • Easily forged • touch command • utime() on both UNIX and NTFS • NT has the SetFileTime() call to change all three

  6. Looking for Things • Unusual port numbers being accessed • An ftp port being used for a long time • What other systems did this person access?

  7. Where to Look • Kernel and processor memory • Unallocated disk space • Deleted files • Swap files • Peripherals and other items that may have fragments of information

  8. OnLine • Bind – DNS daemon • DNS records • PTR – map IP to host name • A – address records, computer name to IP number • MX – mail exchange, tells where to send the mail • TTL – time to live, Bind’s time left for a request in cache and the real TTL, you can determine when it was sent.

  9. Problems with Time • Sychronization • Power – battery or power failure • Accuracy, drift • Time zones • Moving a computer to another time zone • Intruders altering time or resetting clocks

More Related