±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 0 Overall: 35984
New Yesterday: 7 Visitors: 213

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Videos

±Latest Jobs

Checking Bios time yes or no

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Page 1, 2, 3, 4  Next 
  

fissa
Member
 

Checking Bios time yes or no

Post Posted: May 09, 19 12:28

Hi all,

The title says it ; what do you do when seizing an pc/laptop for investigation?
For an unknown reason there is discussing on 'my workfloor'. Some do it but some dont.

These are my throughts (using Encase) to image and investigate the drive in it:

When i image or get an image of a harddrive (as an example) for forensic investigation i was learned not to determine the bios time and date.
I was learned checking the currect offset of the timezone. Now, getting more experience i have asked myself ; what does this gain me? Im in Belgium, being in Central European timezone anyway. I do not get pc/laptops out of this timezone, because all cases are locally.

This timezone doesnt tell me something about the actual time and date setting on the pc/laptop does it?
For this ill dive into the registry. To be more specific ; the controlset (currentcontrolset, services, w32time, parameters)
Here i determine if the date and time was in sync with the NTP-server. If so, can i assume the date and time match the real time and date?

If not ; Is there a way determing an offset in time and date? Its quiete an easy anti-forensic action to mess things up for investigators. (Subject X is on an PC at 9-5-2019 at 14:00 in a publin library, doing all kinds of evil. The PC's time is changed to 4 hours later. The timezone stamps of 'the evil' will list 4 hours later ; placing an unknow john Do behind the PC 'doing this evil')

Ofcourse, determining the bios time will overcome this 'problem'. But i could change back the normal time and date knowingly after i did my evil.


Any advice will be appreciated.

With kind regards,

Fissa.  
 
  

fissa
Member
 

Re: Checking Bios time yes or no

Post Posted: May 14, 19 13:31

nobody?  
 
  

www0ut
Newbie
 

Re: Checking Bios time yes or no

Post Posted: May 15, 19 14:50

Hi fissa,

Thank you for your question(s). A few remarks from me:

Checking the registry for a configured NTP server doesn't necessarily mean the system was able to sync with that NTP server. You can tell by analysing the Windows Event Logs if it synced successfully yes or no. If it didn't sync, it doesn't necessarily mean the time of the system was out of sync. You should check the BIOS to make sure the time/data of the system were correct at least at that moment of checking and acquiring the system.

So should you check the BIOS time? I think you should.

And regarding your remark of changing the time of the system: this will create an entry in the windows event logs as well.

I hope this helps.

Kind regards!  
 
  

athulin
Senior Member
 

Re: Checking Bios time yes or no

Post Posted: May 15, 19 15:35

- fissa
When i image or get an image of a harddrive (as an example) for forensic investigation i was learned not to determine the bios time and date.
I was learned checking the currect offset of the timezone.


Different SOPs do different things. In your case, it may be that the probability for a issue requiring the information about system RTC was considered so low that it was considered wasted time. Or ... perhaps even an impossibility if all you get your hands on is an image. In that case, you probably were taught to make sure that you didn't say anything specific about the actual hardware of the system in question.

The only situation I can think of when knowledge of the RTC could be important is for a system disconnected from the network, and not able to sync with a NTP server (once a week, default) or with its home AD. However, for that situation, knowledge about typical RTC drift (either in general, or for the one you actually have, in particular) wuld be useful -- or not, as RTCs are said to drift more with higher system temperature.

Then again, user systems today tend to go into a kind of sleep state rather than power down entirely. I don't know if system timers (those that keep system time when the system is powered) still keep ticking or not -- if they do, collecting RTC would be less interesting, except when full power down has taken place.



This timezone doesnt tell me something about the actual time and date setting on the pc/laptop does it?


It does, sometimes. Most timestamps are in GMT, so for those, registry settings are irrelevant. For any logs kept in local time time, rather than GMT, however, registry settings may give you the means to convert to GMT. Perhaps.

Here i determine if the date and time was in sync with the NTP-server. If so, can i assume the date and time match the real time and date?


Of course not. You apparently have taken some kind of forensic courses -- those should have taught you what you can or cannot say. Getting time right is (or should be) basic stuff: you should learn that as early as possible (or conversely, you should learn that you will be more or less useless as a forensic analyst until you've learnt it. Yes, I'm exaggerating a bit.). However, it's one of those things most FA don't learn early ... so you're probably in good company.

Being in sync with an NTP server cannot be interpreted, unless you know the behaviour of the NTP server. (And no, you don't assume anything about them.) When I do security assessments on corporate networks, I very often find NTP servers all over the place, some seriously out of sync with real time. They're default services, and noone bothers about maintaining them. But if any client computer uses one of those to sync, forensics related to that computer is going to be difficult. (Getting authoritative time is often as important as getting authoritative DNS results.)

Add to that that NTP is a protocol designed for symmetrical bandwidth: it assumes that client-to-server traffic is as quick as server-to-client. In many cases, that's not how home computers are connected. So ... there's an additional error term to include. But I've never seen that error term discussed. Still, if it cannot be estimated, it should be documented as a disclaimer.


If not ; Is there a way determing an offset in time and date? Its quiete an easy anti-forensic action to mess things up for investigators. (Subject X is on an PC at 9-5-2019 at 14:00 in a publin library, doing all kinds of evil. The PC's time is changed to 4 hours later. The timezone stamps of 'the evil' will list 4 hours later ; placing an unknow john Do behind the PC 'doing this evil')


I have heard about a forensic investigation that ended up in that situation: DHCP logs were misinterpreted, and identified the connected laptop as belonging to John Innocent instead of, correctly, Richard Evil. It was a corporate investigation, but the mess was big enough to stink.

So ... yes, I would collect system RTC, even if I know that it wouldn't necessarily be useful in a well-behaved investigation. It's when the investigation starts to go sideways that it just possibly may come in useful. Besides, if done right, the cost of collecting it is usually minuscule. In some cases it isn't -- in those cases, there's good reason for not collecting it.  
 
  

Rich2005
Senior Member
 

Re: Checking Bios time yes or no

Post Posted: May 16, 19 17:00

It's one of those things which most places I've worked did as a matter of course.....although I'm largely of the opinion that it's pretty pointless.
If the dates and times on the computer came into question, the fact that the clock was correct (or near correct) when seized would prove of little value, if the other side had any sense (whether counsel or expert).
Just because it's correct at the time of seizure gives no guarantee that it was correct during the period being argued over. There could be multiple scenarios where the clock might have been changed automatically or deliberately (or there might be another issue with the timestamps unrelated to the system-clock) or the timestamps themselves might have been messed with if we're getting into that sort of thing.
Either way, if there was major dispute over time-related data, I don't think anyone would seriously suggest that just because the machine's clock is currently correct, that clears up the issue. You'd then be into the realms of the tricky task of trying to discover evidence that the clock was changed, or perhaps trying to identify items with timestamps within them that naturally derive from somewhere else other than the system-clock, and see if they correlate, and also try to corroborate that were indeed created around the same time as the questionable material from other artefacts. Or checking for evidence of timestamp manipulate. And so on and so forth.

It's not going to hurt to check the current clock setting of a machine, and arguably you should for completeness' sake, but in reality I don't believe it's the end of the world if you/someone didn't, as if a case hangs around timings, especially if disputed, then more work than just looking at the current state of the clock should probably be done.  
 
  

kastajamah
Senior Member
 

Re: Checking Bios time yes or no

Post Posted: May 16, 19 18:45

After reading all of these posts, I agree that you should check it. It goes towards being thorough, and it will be one less thing that the defense/opposing counsel will be able to cross you on why you did not. All of the forensic courses that I have attended, that cover this subject, have told me to do it as a matter of course.

As far as you being in central Europe and all the computers you examine are local so you do not check the time zone, I would disagree with this fully. You never know when a computer will come in that has a different time zone. When I work on the east coast of the US, I would say 97% of computers came in as the Eastern Time Zone. On occasion though, I would get computers from other time zones. If the time is at issue in a case you are working, 5:00EST is very different than 2:00PST. If the time frame you are looking into is at 2:00PST but you are focusing on 5:00EST, you will miss what your stakeholder wants you to find.  
 
  

pbeardmore
Senior Member
 

Re: Checking Bios time yes or no

Post Posted: May 17, 19 10:40

I think Rich makes a good point re how useful the BIOS date/time is and if one were to introduce it as evidence, the caveats that he points out would have to be stated. The issue is, then, at what point do you get to so many caveats that the original data has little or no use and then, we are back to the question of why collect that info in the first place? The very action of collecting it is an indicator that it will have some evidential use/value: which, as pointed out, is questionable. Tricky one.  
 

Page 1 of 4
Page 1, 2, 3, 4  Next