Posted: Wed Feb 21, 2018 4:58 am Post subject: timeline analysis
Hello team, got a log that shows a file was accessed in a folder before the actual folder was created. It appears svchost.exe was accessed before folder dllhost was created. Can someone explain what is happening here?
Rule No. 2:
When M time is before C time, the file has been
copied from one system into the same/another system or moved
from one partition to another partition.
From: The Rules of Time on NTFS File System, K.P. Chow, Frank Y.W. Law, Michael Y.K. Kwan, K.Y. Lai
Can be found at i.cs.hku.hk/cisc/forensics/papers/RuleOfTime.pdf (a bit old now)
[Please note that the doc uses (c)reation and not (b)irth. They have only "mac" time]
Well you have "a" and not "m", but the principle is clear. It was modified/accessed before the file was created. So how can that be?
If you have a look at the SANS poster Digital-Forensics-and-Incident-Response-Poster-2012.pdf (p2, google), you see how the timeline is changing if a files is copied of moved. But you never see "a" or "b" time before "c"time.
All that does not apply 100% on your case. So I would say the file was in an zipped archive and was unzipped.
To prove that, I created a directory new1 and a file a.txt in it. After waiting some seconds I zipped (7z) the whole directory. After waiting again, I unzipped the new1.7z.
Not I got a new1 directory with a a.txt with a "a" time older than the "b" and/or "m" time.
Conclusion: If a "a" or "m" time is before the file was created, it could have been that a directory was zipped and unzipped.
Of course, anti forensics (such as timestomp) can change the mac time as the way you like, too.
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum