Caine / Guymager ti...
 
Notifications
Clear all

Caine / Guymager timestamps

7 Posts
6 Users
0 Likes
703 Views
jblakley
(@jblakley)
Posts: 110
Estimable Member
Topic starter
 

All,

I have an issue that I'm not sure is a real issue. I've imaged a laptop after booting to a Caine distro with Guymager. The image went fine, verification between source and image was fine, but when I went to look at the info log that it creates, it shows that the time is in CET which is about 6 hours ahead of CST (where I'm located). I imaged it originally around 1215PM on Saturday, and the files timestamp showed that it was created at 615am.

So, I booted Caine in a VM to take a look and I noticed that everything is set to Italian. I changed the Language for regional and added CST as a timezone. When I logged out and back in, all of the timezones were correct on the box and there is nothing in Guymager to control it otherwise. I started the imaging again at 1731PM on Sunday. The image created as it did before, but the log now stated 1753PM CET again! I was okay with that (at least the times matched), but I decided to mount the portable drive this morning that has the DD image on it on my personal laptop, and the image says that it was created around 1239PM which isn't even correct for a CET/CST conversion.

I've already imaged this twice to try to get the correct timestamps. Am I worrying too much about this since the hashes match? If this is a problem, does anyone else have any ideas how to get an image without mounting the drive? Maybe another distro? I have access to LinEn, but I haven't resorted to using it yet…

Just to add, the only other thing that I haven't done is just a standard dd image that I may try later today. It could be Guymager causing the issue considering that my other timestamps were correct. After creating the image with Guymager yesterday, viewing the timestamps with "ls" showed the correct time. It was this morning on a Windows box that show incorrect. So I'm still not sure if this is a distribution (Caine) issue or a Guymager issue. If it's the distro, doing a dd image is going to have the same effect I'm afraid.

Thanks,
John

 
Posted : 16/03/2015 2:50 pm
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

I am not sure if this is the issue, but assuming (wild guess) that the volume(s) on the laptop are NTFS, the $MFT date/timestamps are UTC 0 or GMT, how they are rendered by Windows depends on local time settlings.
http//www.forensicfocus.com/Forums/viewtopic/t=12738/

jaclaz

 
Posted : 16/03/2015 5:50 pm
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

So, the issue is with time stamps in the acquisition log, NOT in the acquired image itself?

 
Posted : 16/03/2015 6:06 pm
(@twjolson)
Posts: 417
Honorable Member
 

I don't see this being an issue as long as you document it. The important thing is that the image is an accurate representation of the original evidence. That the log has incorrect offsets doesn't change that in the least.

 
Posted : 16/03/2015 9:17 pm
jblakley
(@jblakley)
Posts: 110
Estimable Member
Topic starter
 

Thanks for the response everyone. Yes, the log says one thing and the created date on the file says another. But that's only when I'm looking at the file on a windows workstation. The Linux host seems to believe that the file was created (at the time of creation at least) at the correct time. Windows is seeing it about 5-6 hours earlier. I called guidance and they suggested I use linen for the acquisition, so I may be reacquiring the evidence tonight after testing linen on another workstation in a lab.

I agree on the documentation of the discrepancy. I just don't know how I would document it. Do I state that the timestamps are skewed on a windows host vs a linux host? I'm now questioning if normal dd will not mess with timestamps as well. I was going to capture a thumb drive using the same bootable distro and see what results I get from that when I move it over to the windows host.

Oh and the hashes match (md5 and sha1/256) between the source drive and raw image file that was created.

Thanks!
John

 
Posted : 16/03/2015 10:00 pm
(@tired)
Posts: 1
New Member
 

I dont know if this will help with your issue.

In CAINE v6 I have found that by changing the settings under the time and date on the task bar, although it allows you to input a location and selecting GMT whatever, it does not change the TimeZone that seems to be set within CAINE itself.

Even after setting the information there by going to

Menu > System > Administration > Time and Date

It still defaults to Europe / Rome. Once changed here the correct times and dates, in my experience, seem to be in place.

It had me fooled for a while. However if you have already figured this out your quicker off the mark than me!

Regards

Tony

 
Posted : 10/04/2015 7:13 pm
UnallocatedClusters
(@unallocatedclusters)
Posts: 577
Honorable Member
 

J,

What if, as a simple solution to your problem, you create a 2nd image file of the first CAINE-created image file using FTK Imager on a Windows machine?

You mentioned there are no issues with hash values in the CAINE-created image, so I believe it is correct to state that a new FTK Imager-created image file would not only preserve/confirm your original hash values but also record your desired CST time stamps for the image file creation.

Regards,

Larry

 
Posted : 10/04/2015 7:45 pm
Share: