1. Time Stamp Analysis of Windows Systems Randall Karstetter President, CTIN randall@dataforensicslab.com May 12, 2011 Seattle, Washington
2. Disclaimer and Directive DO NOT believe anything I say Take notes, go back and test everything yourself Keep a binder with all your testing notes and observations Let me know (and all the others in CTIN) if I’m wrong or you find something good Give a seminar!! (also CTIN requirement)
3. Time of an Event Critical to most computer investigations Basis of timeline analysis However, is not an area that is well investigated, written and published. In fact, what is written can be misleading and inaccurate. Which puts the impetus on the individual examiner to conduct their own testing for now.
4. Where Computer Time Starts Real Time Clock chip on the motherboard Must have battery to keep it running when power is off. Usually lithium rechargeable but newer systems have supercapacitors. Oscillator circuit keeps time like a digital watch and is fairly accurate, however it can fluctuate due to quality and environment. Not a time-critical device.
5. What Sets an RTC? Human. If the battery dies or if the BIOS is reset via jumper, a human must reset the BIOS time which resets the RTC. Any human who has access to the BIOS has access to the RTC. Since Windows 2000 Workstation, the operating system can reset BIOS time
6. What are BIOS Date Limits? Variable by BIOS manufacturer. AMI v02.54 2003 range is 1980-2099. Phoenix v05CE 2010 range is 1981-2099. Easy to test, just go into the BIOS and scroll up and down. If the battery dies or stops holding a charge, the date will default to January 1, <earliest year in range>. Note: CMOS batteries die regularly!
7. A Note About Computer Seizures Textbook is to go into BIOS and compare BIOS time to Real Wall Time. Does the BIOS time at seizure provide ANY correlation to computer activity times in the past?
8. What Date and Time is Kept by BIOS? Local Time as entered by the human in BIOS. On OS updateable BIOS’s, local time as calculated by the OS –OR—entered by the user in Control Panel or on Task Bar.
9. Do BIOS’s Correct For DST? They tried that once in the past. Didn’t work out well. OS’s couldn’t tell which BIOS’s were updating. BIOS’s couldn’t tell which OS’s were running. It ended up more often the time got changed twice! (Off by two hours) Now by convention, BIOS’s do not correct for DST. Win ME and older systems user had to manually update BIOS. And on hardware upgraded with newer OS’s.
10. What Happens at Boot-Up? Windows requests date and time from the BIOS. Windows converts the local time received to UTC based upon the TimeZone settings and whether Automatically Adjust for DST is enabled. Windows displays the calculated local time to the user on the task bar and at command line to >date, >time queries.
11. System Time Clock At boot Windows starts and maintains a System Time Clock which is independent of RTC. This is the infamous number of 100 nanosecond clock ticks per second since January 1, 1601 (but depending on hardware it can be 64 clock ticks per second). System clock is actually less accurate than RTC so periodically RTC is polled.
12. Win32Time Service Starting with Windows 2000, Win32Time service is designed to look for a local time server or remote internet time server (time.microsoft.com or time.nist.gov) and synch the System Time clock. Go see: http://msdn.microsoft.com/en-us/library/bb608215.aspx
13. Microsoft’s Time Statement Computers that synchronize their time less frequently, such as computers running Windows XP Home Edition, computers with intermittent network connections, or computers that are not joined to a domain, are configured by default to synchronize with time.windows.com. Because they do not synchronize their clock frequently and because the factors that affect time accuracy may not be known, it is impossible to guarantee time accuracy on computers that have intermittent or no network connections.
14. Is the computer synching with an NTP server? Go into System event log and filter on event numbers 35 and 37.
15. Synching Errors Microsoft mentioned that if the local time and time server are off by more than 15 hours, time synching may fail. I set date to 1/1/2099 and synch failed. I set to 16 hrs ahead and it failed the first time but synched on the second try. So somewhere around 15 hrs. As soon as time synchs, it updates BIOS clock.
16. Frequency of Synching On my Windows XP-64 SP3 test system, the default synch frequency was 7 days. So the BIOS clock could remain wrong for up to seven days. There may be conditions that trigger a synch event sooner, I don’t know.
17. Consequences of Wrong Date Windows Update fails. “Error Code: 80072F8F Windows Update encountered an unknown error.” Windows Defender update fails. Norton Update fails. McAfee Update fails. Is it any wonder ~30% of infected computers we see have a wrong BIOS time? ~70% are in future (dates range 1911-2050)
18. So, given the inaccuracies of the BIOS time, how can we verify if an event that is time critical to the case did occur at the time the computer says it did?
19. Confidence Testing Check event logs to see if W32Time synchronizations occurred both before and after the event. Look into log files. Sometimes antivirus definition updates will have the host sever time in the log file which can be compared to the file Last Modified time. Look at the File Create dates of Windows KB files in the root of indows and then check Microsoft’s site for date of release of the KB update. If the computer was turned on the day it was released, the File Create date will likely be the same day. At least the File Create date should not be BEFORE the release date.
20. More Things to Check See if emails were exchanged before and after the event. Email headers will have server dates in them. Correlate server dates with Received Dates displayed in the email program. Some cookies and HTML files will have embedded server time to compare to File Create times.
22. File Create Time “The time that the file was created.” Brian Carrier, File System Forensic Analysis “The time at which the file was…originally created.” Harlan Carvey, Windows Forensic Analysis 2009 “This value reflects when a particular file was created at that location.” Guidance Software, EnCEP Study Guide “Unix systems maintain…ctime as the time when certain file metadata, not its contents, were last changed. Windows systems are the only systems that use ctime to mean creation time.” www.forensicwiki.org/wiki/MAC_times “The file create date and time will depend on whether the file was copied or moved.” Microsoft, Technet
23. Fresh Install of Windows 7 on 5/4/2011 All file dates were sorted by Create Date and shown are the oldest Create Dates seen. Note MFT Record Date of 5/4/2011.
24. File Create Date Updates Reflect the start time a new file was being created in a folder. Is updated if a file is downloaded from the internet. Is updated if a file is extracted from a ZIP file. Is updated if copying a file to a new folder or copying a folder. Is updated if a file is moved to a folder using the command line “move” command. (Page 416, WFA 2ndEd, Harlan Carvey) Is changed to the original NTFS Modified Time when burned onto a CD using Nero 6.
25. Create Dates Not Updated When moving a file from one folder to another using Windows Explorer. When moving a folder with Windows Explorer. When extracted from a CAB file. When restored from a tape backup or similar special backup/restore program.
26. RK’s Definition of Create Time The time a file was first created in a folder. Or copied into the current folder using Windows Explorer, or copied with a folder, or moved into the current folder using the command line “move”. Or the time it was created somewhere else and moved into the current folder using Windows Explorer or extracted/restored using special software.
27. File Modified Time “Last Written: Indicates the last date and time that a file was actually opened, edited, then saved. If a file is merely opened then closed (but not altered), or opened, edited, and closed with no save, then this column will not update.” Guidance Software, Time/Date stamp issues “The last modified time is set when the value of any $DATA, $INDEX_ROOT, or $INDEX_ALLOCATION attributes are modified.” Brian Carrier, File System Forensic Analysis.
28. Modified Time Updates Creating a new file of course. Changing anything in the $DATA attribute and then saving the file. This could be resizing a JPG, changing margins in a Word doc, or highlighting a cell in Excel. This doesn’t have to be done by a user. It could be a program updating say a log file or a virus inserting and hiding code. Opening a file in an editing program and changing nothing but clicking on Save.
29. Modified Times Static When copying or moving files from one folder to another. When copying files from a CD onto a hard drive. When extracted/restored using special software. If opened in an editing program and closed without modifying or saving. Renaming the folder (which I thought would change $INDEX_ROOT. I couldn’t figure out how to change $INDEX.ROOT to update Modified Time).
30. RK’s Definition of Modified Time The last time a file was created, saved with modifications or saved without modifications either by a user or program.
31. Last Accessed Time “The time that the content of the file was last accessed.” Brian Carrier, File System Forensic Analysis “Displays the date of the last activity of the file. A file does not have to be altered for the last-accessed date to change—only accessed. Any activity (such as viewing, dragging or even right-mouse clicking) may change the Last Accessed date. The last-accessed date may also change if the file is accessed by a program, such as a virus checker.” EnCEP Study Guide
32. Last Accessed Updates Creating a new file. Copying or moving a file. Copying a folder containing a file. Highlighting a file in Windows Explorer either by left-clicking once on the file name or using Control-A to highlight all the files in the folder. Images in a folder turning Thumbnail view on. Scanned by an anti-virus/anti spyware program
33. Programs Altering Last Accessed Software Modified Last Accessed Time? Norton Anti-virus 2006 Yes e-Trust EZ anti-virus v 7.1.8.0 Yes F-prot anti-virus v3.16c Yes McAfee virus scan 2005 Yes Microsoft Windows Defender Beta 2 Yes Spybot SD v1.4 No PC-cillin 2005 No WinXP file searching tool Yes Taken from Table 1, page 4, The Rules of Time on NTFS File System, K. P. Chow, Frank Y. W. Law, Michael Y. K. Kwan, K. Y. Lai, Department of Computer Science, the University of Hong Kong.
34. Last Accessed Time Static In Windows Explorer, highlighting the folder in the left window without highlighting the file name in the right window. Moving a folder containing a file. Renaming the folder name.
35. Last Accessed Quirks Turned off by default on Windows Servers and Windows 7. CD’s do not have Last Accessed times FAT partitions will show a Last Accessed time of 12:00:00 AM on the date they were last accessed regardless of the actual time they were last accessed. Microsoft says there may be a delay of up to one hour from the actual time of Last Access until the $SYSTEM_INFORMATION attribute is updated.
36. RK’s Definition of Last Accessed The last time, sometimes available, of when a file was created, opened, copied or moved individually, highlighted either individually or in a batch, viewed as a thumbnail or scanned or updated by a program. In the case of a FAT volume, the last date only of when a file was thus accessed.
37. Entry (MFT) Modified Time “The time that the metadata of the file was last modified.” Brian Carrier, File System Forensic Analysis “Entry Modified refers to the file’s record entry and its information, such as the file size or file location. This is a file system modification and not a user modified value. This property is not normally used for eDiscovery.” EnCEP Study Guide
38. MFT Modified Updates When a new file is created. When any of the file attributes are changed (Read Only, Hidden, System, Archive). Renaming or moving individually in the same volume. Copying from another volume when a file with the same name exists anywhere on the destination volume Time moved or deleted from a volume. When an application opens a file but does not modify or save it (tested with Notepad. Note the difference with Last Modified)
39. MFT Modified Static File copied or moved between volumes on the same computer as long as a file with the same name is not anywhere on the destination. File within a folder copied or moved between volumes on the same computer.
40. RK’s Definition of MFT Modified The time a file was created on the computer regardless of volume, the last time a file attribute was updated, the last time a file with a similar name was copied onto a new volume or the last time the file was opened by an application.
41. Brett Shavers, CTIN Registry Forensics Seminar, August 14, 2008 “MFT record update entry time should match the MAC dates. If not, date manipulation could have occurred.”
42. File Copied from Server to C: when a file existed on Volume C: with the same file name The file Timestomp.txt was copied from a server onto local volume C: when a file by that same name existed in another folder on C: Date Created, Date Accessed were updated, Date Modified is as it was on the server, MFT Record Date remained the same as the Record Date of the existing file. And no, no manipulation took place.
43. THE DREADED TIMESTOMP “Timestomp changes all four MACE times!” “With anti-forensic tools such as Timestomp, how can any dates and times found on a suspect computer be deemed reliable!”
44. Has anyone had a case where a timestomping program was used or suspected of being used? Has anyone read of such a case?
46. Mistake # 1 Timestomp, stamp, filetouch and all such programs are designed to be used from a command prompt. Most computer users, and many young people who grew up with a mouse in their hands don’t know what a command prompt is. So how are they likely to download and use the program?
47. Program downloaded and clicked on from Desktop or Windows Explorer to launch. Link file created and persists after the program is deleted. BUSTED!
48. THE ACHILLES HEEL Yes, timestomping programs do change all four MACE times. But, they only change the $SYSTEM_INFORMATION attributes in the MFT, NOT the $FILE_NAME attributes.
49. USE FTK IMAGER Using FTK Imager, open the $MFT file in the root of the volume. Under View turn on Hex Value Interpreter Put cursor anywhere in the hex data displayed, right mouse click and search for the filename When found, count five rows down from the line that starts with “FILE0”. The first eight bytes are the $SYSTEM_INFO Create Date. Next eight are the File Modified. Next line down first eight bytes are the MFT Modified and to the right the next eight bytes are Last Accessed.
50. This is a Timestomped file. Note the Date Created, Last Accessed, Last Modified and MFT Record Date on the left.
51. This is the file with the eight bytes starting at offset x050 highlighted and showing the hex value decoded. This is the File Create time in the $SYSTEM_INFORMATION attribute. The eight bytes just to the right of this is the File Modified time, the eight bytes starting on the next line down is the MFT Modified Time and the eight bytes to the right of that is Last Accessed.
52. Going down to the line that starts at offset x0c0, this is the start of the $FILE_NAME attribute which is a copy of the $SYSTEM_INFORMATION attribute but doesn’t change and is not touched by any of the timestomping programs (at least yet). Highlight the first eight bytes and you’ll see the oriniginal File Create Time. Highlight the other byte strings to see the other times.BUSTED!
53. Now go do some testing and report back to me if you find I made any mistakes and if you find some juicy information. We need independent exploration, testing and presentations to help build a docu-mented reference for the undocumented space we work in. That’s what CTIN is all about and I’m grateful to Brett Shavers and all the others who have brought us here and keep us going. Lend your hand!