±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 2 Overall: 36087
New Yesterday: 2 Visitors: 102

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Videos

±Latest Jobs

Checking Bios time yes or no

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Page Previous  1, 2, 3, 4  Next 
  

Rich2005
Senior Member
 

Re: Checking Bios time yes or no

Post Posted: May 21, 19 11:21

- athulin
When it is demonstrably false, or turns out to be so out of synch with other evidence that the possibility that it has been used as 'correct' on boot time must be considered. (Basically, when it calls other evidence or the base for other evidence into question.) This should force the analyst to ensure that the base for the time line or important parts of it do not solely rely on the assumption RTC being correct on boot, but on stronger evidence such as logs from NTP synchs, or such.


But surely you should NEVER solely rely on the assumption that the RTC being correct lends weight to the fact that other historic timestamps are correct (and vice versa).

- athulin
Actually, such assurance should really be part of standard operating procedure as part of evaluating the evidentiary value of any timestamp in an environment that does not synch timestamps as soon as the system is turned on (or, equivalently, started from a power state that does not maintain internal timers).


Even in an environment that doesn't synch timestamps as soon as the system is turned on, with an accurate (or not) RTC, how can you derive credibility from the current RTC. It could have been changed in the bios just prior to seizure. It could have been changed in the bios during a certain point in time and then actions taken. And countless other possibilities.

- athulin
And it does not seem impossible that it may be important to verify that the battery driving a battery-powered RTC is indeed within operational limits. If it isn't, ... well, that seems to establish doubt that all timestamps are indeed correct ... so extra work needs to be spent on limiting such doubts.


I would argue that doubt should always exist and an inaccurate RTC doesn't change that.

- passcodeunlock
A good analyst would never rely on the RTC taken at the time of examination of a seized device. As I wrote before, the BIOS time / RTC serves documentation purposes only.


I don't really know what "documentation purposes" means. There's endless things you could document but you select which based on value. Do you fingerprint every component of every machine?

- jaclaz
When I booted this PC this morning its RTC was showing 21/05/2019 08:12.54, roughly at the same time another PC surely connected to an internet time service was showing 21/05/2019 08:13.01 UTC.

Now let's see what kind of logical (or illogical Shocked ) leaps can anyone derive from the above statement, intentionally void of any comment, explanation or corollary, only a simple, straightforward statement . Rolling Eyes

jaclaz


A person not familiar with digital forensics could easily make the leap that because the time on the computer was accurate to within a small number of seconds that the timestamps in the case would be likely to be accurate. We know this is not true.  
 
  

jaclaz
Senior Member
 

Re: Checking Bios time yes or no

Post Posted: May 21, 19 12:10

- Rich2005

A person not familiar with digital forensics could easily make the leap that because the time on the computer was accurate to within a small number of seconds that the timestamps in the case would be likely to be accurate. We know this is not true.


Good. Smile

BUT persons not familiar with digital forensics (which shouldn't BTW judge or derive anything from data - as opposed to conclusions - in a digital forensics report) can be divided in:
1) persons not familiar with digital forensics AND knowing that they are not familiar with it
2) persons not familiar with digital forensics NOT knowing that they are not familiar with it or BELIEVING WRONGLY that they are familiar with it

Category #1 will ask to someone familiar with digital forensics (and there won't be any leap).
Category #2 cannot be cured.

jaclaz
_________________
- In theory there is no difference between theory and practice, but in practice there is. - 
 
  

Rich2005
Senior Member
 

Re: Checking Bios time yes or no

Post Posted: May 21, 19 13:20

- jaclaz
- Rich2005

A person not familiar with digital forensics could easily make the leap that because the time on the computer was accurate to within a small number of seconds that the timestamps in the case would be likely to be accurate. We know this is not true.


Good. Smile

BUT persons not familiar with digital forensics (which shouldn't BTW judge or derive anything from data - as opposed to conclusions - in a digital forensics report) can be divided in:
1) persons not familiar with digital forensics AND knowing that they are not familiar with it
2) persons not familiar with digital forensics NOT knowing that they are not familiar with it or BELIEVING WRONGLY that they are familiar with it

Category #1 will ask to someone familiar with digital forensics (and there won't be any leap).
Category #2 cannot be cured.

jaclaz


Indeed.
My point was really just to debate the actual value of collecting/reporting the RTC value. Especially in the context of seized items rather than a "live" examination.
Like most of us I've done it as a matter of course for donkeys years.
I'm just more skeptical now of the actual merit for "dead" / "powered down" items.
Having said that, I suppose the merit of checking it is more, as athulin said, as a prompt for further investigation, rather than anything else.
Thinking out loud, I was making the counter-argument of that obviously we should treat timestamps with more skepticism and therefore shouldn't need prompting, but I suppose if you take into account the realities of time/money, which most people have to work within, then a significantly outlying RTC might be justification to say more time needs to be spent validating timestamps (even if in reality most cases would benefit from more scrutiny of timestamps, for reliability, but will never be paid for by the employer/court/client etc).  
 
  

athulin
Senior Member
 

Re: Checking Bios time yes or no

Post Posted: May 21, 19 16:32

- Rich2005
But surely you should NEVER solely rely on the assumption that the RTC being correct lends weight to the fact that other historic timestamps are correct (and vice versa).


I can't imagine how you interpret what I wrote. I see nothing in there that leads to the point you are questioning.

Even in an environment that doesn't synch timestamps as soon as the system is turned on, with an accurate (or not) RTC, how can you derive credibility from the current RTC. It could have been changed in the bios just prior to seizure. It could have been changed in the bios during a certain point in time and then actions taken. And countless other possibilities.


Um ... I wasn't saying anything about that. I was addressing an RTC that is undeniably out of synch, not one that isn't. As RTC is the basis of system time after power-on (unless you have other solutions) until a better time has been obtained from somewhere, you somehow need to address that -- for example by documenting a conclusion that system timestamps between X and Y are not necessarily in synch with local time, and thus should not be relied on.

Or ... you may say that RTC is unreliable, and so *all* timestamps after a power up until a NTP synch is unreliable. Unless, perhaps, the diff was smaller than some well-chosen limit. As long as you document it, so that readers of your report can evaluate it.

I view establishing the relationship between system time and local time a basic and mandatory part of forensic analysis and report. I happen to regard badly out of synch RTC as one of several inputs to such a process, and for that reason needs to be collected and documented.

In some cases, I even get direct questions from customers about any indication (even low-confidence ones) about booting with a different operating system, and when it happened. If RTC is off by UTC offset, it's could be such indication. System logs where time synch time is on that order may also be such indicators. As I do not participate in the customer's internal investigations, I can only answer their questions, and warn about low-confidence indicators. In writing.

It might be slightly better to put your original question on a slightly different base: for example "Does anyone have ISO 17025 methods that use computer RTC in any way, and so require that information about RTC and its operational environment needs to be collected?"  
 
  

jaclaz
Senior Member
 

Re: Checking Bios time yes or no

Post Posted: May 21, 19 17:42

So, if we make a decision tree of sorts:
A) RTC date/time is recorded/logged (at a given time, as well logged, coming from a known to be accurate enough source)
or:
B) RTC date/time is NOT recorded/logged

IF A):
A1) the RTC date/time is accurate (within a "reasonable" approximation [1]) and this may (or may not) mean anything or something or the opposite of it, and this can of course be debated, argued and counter argued as much as you want.
or:
A2) the RTC date/time is NOT accurate (within the same "reasonable" approximation) and this may (or may not) mean anything or something or the opposite of it, and this can of course be debated, argued and counter argued as much as you want.

IF B):
B) Nothing can be said about the accuracy (or lack of it) of the RTC.

The only argument (or counter argument) in case B) is that the investigator could (or should) have logged it and IF he/she had logged it THEN we could be in either A1) or A2) but we will never know.

I personally would always prefer the arguments (and counter arguments) in A).

jaclaz


[1] which we can tentatively assume amounting to a small amount of seconds
_________________
- In theory there is no difference between theory and practice, but in practice there is. - 
 
  

fissa
Member
 

Re: Checking Bios time yes or no

Post Posted: May 21, 19 19:26

Thanks for all the reply's! Very usefull. (I was afk for a few days, so i apologise for not responding sooner)

When posting i had i mind getting and yes or no, with an argument why so. I have learned, reading all the reply's, there is no right or wrong. Im convinced taking note of the bios time is only a small effort and therefor something i will do in the future. But then again; for what use. It doesnt say anything about the time-set in the past, so i cant derive any rights.


An interesting topic. I think it will keep me busy untill the end of times ^^  
 
  

Rich2005
Senior Member
 

Re: Checking Bios time yes or no

Post Posted: May 23, 19 11:14

- athulin
I was addressing an RTC that is undeniably out of synch, not one that isn't. As RTC is the basis of system time after power-on (unless you have other solutions) until a better time has been obtained from somewhere, you somehow need to address that -- for example by documenting a conclusion that system timestamps between X and Y are not necessarily in synch with local time, and thus should not be relied on.

Or ... you may say that RTC is unreliable, and so *all* timestamps after a power up until a NTP synch is unreliable. Unless, perhaps, the diff was smaller than some well-chosen limit. As long as you document it, so that readers of your report can evaluate it.


The RTC, at some point in time (which is the crucial point), is going to be the basis of system time.

However the "addressing" of that and "a conclusion that system timestamps between X and Y are not necessarily in synch with local time, and thus should not be relied on" is part of where I think the value is debateable. You could, with good reason, argue the timestamps in any historic period should not be relied upon absolutely, whether the RTC when examined was correct or not. This could be from deliberate actions causing the clock to be wrong historically at various points in time (in order to hide actions or place them deliberately at a different point). It could also be from inadvertent actions which have led the clock to be wrong at various points in time. Etc.

If you're simply documenting it, you're leaving it open to interpretation by others, as you say, who're almost certainly less technical or not best placed to weigh the significance. If you're drawing a conclusion that a correct RTC at the time of examination means historic times are likely to be reliable I'd argue that's simply wrong. If you're drawing a conclusion that a wrong RTC means historic timestamps will be unreliable, then we're back to the original problem, in that drawing inference from an RTC value at the time of examination is problematic, and therefore I'm skeptical of the value (other than as a prompt/justification for further investigation as mentioned in the previous post).

As I say, I'd probably still collect it, even if simply as a prompt for further investigation (when significantly wrong). Although I wouldn't say not doing so causes any issue either (and wouldn't go to the ends of the earth to do so, for example if there wasn't an easy way to do it for some reason, ie on a device with damaged hardware).  
 

Page 3 of 4
Page Previous  1, 2, 3, 4  Next