1 / 7

MAC times

MAC times. MAC Times. Modification ( mtime ) When the file contents were CHANGED Change = addition or deletion or change of any single BYTE/Character… even if it doesn’t change to meaning of a file

ena
Download Presentation

MAC times

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. MAC times

  2. MAC Times • Modification (mtime) • When the file contents were CHANGED • Change = addition or deletion or change of any single BYTE/Character… even if it doesn’t change to meaning of a file • For example: adding a single extra space to a term paper, it still reads the same, however has been altered • Access (atime) • The time the file was last “touched”, even if not changed • Creation (ctime) • The timestamp of a file’s creation on a “volume” (disk)

  3. Timestamps • Operating system dependent • Ex: • Windows bases a timestamp on elapsed time since • Jan 01, 1601 Midnight • Time elapsed in nanoseconds (billionths of a second) • MACs timestamps require a different “algorithm” (formula) for conversion to calendar date/time

  4. Granularity • Refers to the “precision” of our time • how small a window of time (day/hour/minute/second) • Dependent on Operating System • Dependent on File System • Windows XP • Can use NTFS file system to record files on the disk • Can us FAT32 to record files on the disk • FAT32 typically used for removable media, such as USB or Flash Cards (such as in cameras) • Forensic software (or the analyst) needs to know the systems involved in order to interpret the time properly • Atime can be precise to the *date*, but perhaps not a time of day • Ctime can note the actual time and date down to 2/100’s of a second (depending on Operating System)

  5. Discrepancies • File’s ctime occurs *after* the atime or mtime • Possible if: • Somebody played with the timestamps • The file was moved/copied to another “volume” (disk) • It’s “created” on that new disk at that date/time, but OS and File System might retain the original atime and mtime • Windows Vista • Default indicates that the update of the atime is turned off by default • Not necessarily intentional on the part of the user to hide the time details!

  6. Discrepancies • Examination of the contents of a file might indicate that the file was not created or modified when the timestamp claims it was • Content of the document list a date or time indicating a creation prior to the “external” time • Might indicate an effort to hide or “forge” the time of a file • Is the date or time inside the file itself a result of the user’s effort (he or she typed it), or did the software package being used insert it? • Remember: • Timestamps are based on the computer’s system time • If the system time if “off”, the file timestamps will also be “off” in relation to real time • Do timezone differences come into play? • Do we need to consider Daylight Savings Time? • Not for the CSI Challenge!!!

  7. CSI Challenge • The assumption is that any obvious time discrepancy is an effort on the part of a investigation’s subject to hide or obfuscate details • NOTE: • You will receive a note in your packet (along with the investigator’s CD) which outlines how you should view times in terms of evaluating your investigation • For example, you might be directed to specifically ignore certain timestamps only • Do not ignore, unless specifically directed to do so!!!

More Related