Time stamps


putergeek

New Member
Sep 1, 2008
105
0
#1
Scenario:

Computer shows correct date/time (8/10/08)on scene, BIOS shows correct date/time in the lab....once imaged it shows no activity from 4/3/08-present. There were people on the computer when we showed up to seize it so we know there was activity. Any ideas?
 

Complete

Administrator
Aug 19, 2006
861
0
#3
Daylight savings? :p

Are you talking about access times or modified and created as well? Maybe they turned off access time updates?
System Key: [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\FileSystem]
Value Name: NtfsDisableLastAccessUpdate
Data Type: REG_DWORD (DWORD Value)
Value Data: (0 = disable, 1 = enable)
 

putergeek

New Member
Sep 1, 2008
105
0
#4
We seized it then..there was no cd in there but good thought.

It's weird after doing some examining...the registry shows the shut down date as 4/03 when we seized it and shut it down on 8/8. It looks like all the time stamps are just wrong but why would it show the right time in bios??
 

Complete

Administrator
Aug 19, 2006
861
0
#7
I like the Live CD theory. I know some Linux CDs will run entirely in memory and the CD can be removed from the drive after it's loaded. I haven't used WinPE for a while, but will it run entirely in memory as well? Was the system possibly booted from a USB drive?

And I think Vista only disabled the last access time. Modified and created will still get updated. This is certainly an interesting case.

BTW, daylight savings was my joking way of saying, I dunno. I often see that as one of the first answers for any timestamp questions. :)
 

putergeek

New Member
Sep 1, 2008
105
0
#8
I like the Live CD Theory too but I dont think its going to be that in this case. The evidence that we are lookiing for is there, it occurred the day before we seized it...we seized it on 8/8 but the all date stamps are saying 4/3 which is the last date showing on the system. It's just weird how bios had the correct date.
 
Sep 9, 2008
9
0
#9
VISTA does not update last access by default, all others are updated as should be.

What are you using for your exam (ie EnCase or FTK)? What OS are you running on your exam machine? What time zone is your OS set to and what time zone is your forensic software set to?

What OS/OS's are you looking at?

What type of case is it (CP, Fraud)?

Did you perform a soft shutdown or pull the plug?
 

putergeek

New Member
Sep 1, 2008
105
0
#10
I am doing the examination with Encase on a Windows XP Pro os.

Both are set to Eastern Standard Time.

The suspect computer had a window xp home os.

It's a robbery case.

We pulled the plug from the back.
 

4n6art

New Member
Jun 27, 2008
201
0
#11
How about programs like SteadyState and DeepFreeze which are used to clean machines upon reboot.

Do a search for those programs - SteadyState is a Micro$oft program and is free. Once set up will let you do whatever you want on the OS and when the machine is rebooted, it returns to the previously stored setup - including (I BELIEVE) the last shutdown and startup dates before the "state" was saved.

As Unlogicated asked - did you perform a proper shutdown or pull the plug? If you performed a proper shutdown, you may not get much in the registry - if one of those programs are running. A plug-pull may yield some dates/times that may help.

Also, check unallocated or browser cache for html pages with date/timestamps.

Finally, clone the drive to a forensically wiped target drive and put it into the machine and boot it up and see what you see - it may give you an idea where to start on your analysis.

Good luck.

-=ART=-
 
Sep 29, 2008
123
0
#12
I recently analysed a computer that had been running Steady State for several months. (I put it on there for a client.)

Steady State does a great job of removing all evidence from the date you install it.

If that was running on the PC, you are going to have a time of it getting anything back.
 

athulin

Member
Experienced Member
Oct 18, 2007
734
Ratings
11
18
#13
putergeek said:
Computer shows correct date/time (8/10/08)on scene
Obtained how? By a safe time application? Command line window and TIME?

It's a pity there's no 'safe path' time available ... i.e. a CTRL-ALT-DEL-based method. The 'login date and time' usually shown might help a bit in these cases to establish that system time isn't totally off course, I suppose.
 

Rift36

New Member
Nov 20, 2008
21
0
#15
Have you tried looking in the setupapi.log? The time stamps in it can show you if and when they've played around with the system clock.
 

gtorgersen

New Member
Sep 8, 2008
12
0
#16
TimeStamps

<t>Time stamps by default are such an unreliable source. They can be changed with such ease that it makes it almost impossible to validate them 100%. Look at a program like TimeStomp. They could use a utility such as that to modify the timestamps. <br/>
<br/>
Check the EntryModifed times. Most timestamp altering software does not change these records.<br/>
<br/>
Also look for evidence of softwares that can alter or manipulate timestamps. Do you suspect that the theif has the computer knowledge to do these more advanced thechniques of data manipulation.<br/>
<br/>
Gary Torgersen<br/>
Director of Technology<br/>
Document Solutions, Inc.</t>
 

putergeek

New Member
Sep 1, 2008
105
0
#17
Would Steady State or Deep Freeze get rid of the evidence or change time stamps?

My problem is just that time stamps have changed...the evidence is there but the wrong date!!
 

putergeek

New Member
Sep 1, 2008
105
0
#18
Deep Freeze

<t>Thank you 4n5art! This computer is running Deep Freeze on it. <br/>
<br/>
Does anybody have any experience completing forensics on a computer that has deep freeze on it?<br/>
<br/>
The information should still be there if there was no shutdown between the time evidence was placed and the time we pulled the plug...correct? <br/>
<br/>
If anybody could explain this to me further please do =)<br/>
<br/>
Thanks again everyone for all the help!</t>
 

About us

  • Our community began in 2004. Since this time, we have grown to have over 29,000+ members within the DFIR & Cyber Security community.

    We are happy to announce that this forum is now under new ownership with the goal to once again become the main Digital Forensics Forum on the internet for DFIR, OSINT and Cyber Security.

    If you can think of ways to help us improve, please let us know.

    We pride ourselves on offering unbiased, critical discussion among people of all different backgrounds.

    We are working every day to make sure our community is one of the best.

Quick Navigation

User Menu