timeline analysis


amrogers3

New Member
Feb 19, 2018
3
0
#1
Hello team, got a log that shows a file was accessed in a folder before the actual folder was created. It appears svchost.exe was accessed before folder dllhost was created. Can someone explain what is happening here?
Code:
Timestamp Macb File Name
2012-04-03 15:40:19 .a..  C:/Windows/System32/dllhost/svchost.exe
2012-04-03 16:35:07 ...b  C:/Windows/System32/dllhost
 

chris-

New Member
Mar 5, 2018
6
Ratings
1
0
#2
Hi amrogers3,
Rule No. 2:
When M time is before C time, the file has been
copied from one system into the same/another system or moved
from one partition to another partition.
From: The Rules of Time on NTFS File System, K.P. Chow, Frank Y.W. Law, Michael Y.K. Kwan, K.Y. Lai
Can be found at i.cs.hku.hk/cisc/forensics/papers/RuleOfTime.pdf (a bit old now)

[Please note that the doc uses (c)reation and not (b)irth. They have only "mac" time]

Well you have "a" and not "m", but the principle is clear. It was modified/accessed before the file was created. So how can that be?

If you have a look at the SANS poster Digital-Forensics-and-Incident-Response-Poster-2012.pdf (p2, google), you see how the timeline is changing if a files is copied of moved. But you never see "a" or "b" time before "c"time.

All that does not apply 100% on your case. So I would say the file was in an zipped archive and was unzipped.

To prove that, I created a directory new1 and a file a.txt in it. After waiting some seconds I zipped (7z) the whole directory. After waiting again, I unzipped the new1.7z.

Not I got a new1 directory with a a.txt with a "a" time older than the "b" and/or "m" time.

Conclusion: If a "a" or "m" time is before the file was created, it could have been that a directory was zipped and unzipped.

Of course, anti forensics (such as timestomp) can change the mac time as the way you like, too.
 
Sep 2, 2004
70
6
#3
Three questions...

First, what did you use to create the timeline?

What version of Windows is the system being analyzed?

What else happened 'near' the event?

Thanks.
 

Lids

Member
Experienced Member
Oct 23, 2018
29
Ratings
28
13
#4
Realise this is an old thread now, but I agree with chris- 's answer ... most likely scenario is folder was copied from another location. Good response.

-Sean
 

About us

  • Our community began in 2004. Since this time, we have grown to have over 29,000+ members within the DFIR & Cyber Security community.

    We are happy to announce that this forum is now under new ownership with the goal to once again become the main Digital Forensics Forum on the internet for DFIR, OSINT and Cyber Security.

    If you can think of ways to help us improve, please let us know.

    We pride ourselves on offering unbiased, critical discussion among people of all different backgrounds.

    We are working every day to make sure our community is one of the best.

Quick Navigation

User Menu