Presentation is loading. Please wait.

Presentation is loading. Please wait.

Module 2 Timelines and Such Highline Community College Seattle University University of Washington in conjunction with the National Science Foundation.

Similar presentations


Presentation on theme: "Module 2 Timelines and Such Highline Community College Seattle University University of Washington in conjunction with the National Science Foundation."— Presentation transcript:

1 Module 2 Timelines and Such Highline Community College Seattle University University of Washington in conjunction with the National Science Foundation

2 MACTimes Who, what, when, where and how? Who, what, when, where and how? When may be more important than what When may be more important than what atime, mtime, ctime, dtime, last atime, mtime, ctime, dtime, last ChangeTime, CreationTime, LastAccessTime, LastWriteTime ChangeTime, CreationTime, LastAccessTime, LastWriteTime Historical times may not be available except on backups, journaling file systems, etc. Historical times may not be available except on backups, journaling file systems, etc.

3 Viewing items ls –l ls –l TCT’s mactime tool TCT’s mactime tool Uses lstat() system callUses lstat() system call Windows has third party tools Windows has third party tools Explorer, write mouse click and use all tabs Explorer, write mouse click and use all tabs

4 Issues with MACTimes GUI based tools can change the atime GUI based tools can change the atime Importance of using a forensic tool on an image that cannot be altered Importance of using a forensic tool on an image that cannot be altered Opening a directory can change the access time, be sure to use lstat() Opening a directory can change the access time, be sure to use lstat() Hashes must be done after an lstat() Hashes must be done after an lstat()

5 Issues with MACTimes (cont’d) Do not show history Do not show history MACTimes degrade with time MACTimes degrade with time OOV OOV Easily forged Easily forged touch commandtouch command utime() on both UNIX and NTFSutime() on both UNIX and NTFS NT has the SetFileTime() call to change all three NT has the SetFileTime() call to change all three

6 Looking for Things Unusual port numbers being accessed Unusual port numbers being accessed An ftp port being used for a long time An ftp port being used for a long time What other systems did this person access? What other systems did this person access?

7 Where to Look Kernel and processor memory Kernel and processor memory Unallocated disk space Unallocated disk space Deleted files Deleted files Swap files Swap files Peripherals and other items that may have fragments of information Peripherals and other items that may have fragments of information

8 OnLine Bind – DNS daemon Bind – DNS daemon DNS records DNS records PTR – map IP to host namePTR – map IP to host name A – address records, computer name to IP numberA – address records, computer name to IP number MX – mail exchange, tells where to send the mailMX – mail exchange, tells where to send the mail TTL – time to live, Bind’s time left for a request in cache and the real TTL, you can determine when it was sent. TTL – time to live, Bind’s time left for a request in cache and the real TTL, you can determine when it was sent.

9 Problems with Time Sychronization Sychronization Power – battery or power failure Power – battery or power failure Accuracy, drift Accuracy, drift Time zones Time zones Moving a computer to another time zone Moving a computer to another time zone Intruders altering time or resetting clocks Intruders altering time or resetting clocks


Download ppt "Module 2 Timelines and Such Highline Community College Seattle University University of Washington in conjunction with the National Science Foundation."

Similar presentations


Ads by Google