±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 0 Overall: 36290
New Yesterday: 2 Visitors: 185

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Videos

±Latest Jobs

Checking Bios time yes or no

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Page Previous  1, 2, 3, 4  Next 
  

athulin
Senior Member
 

Re: Checking Bios time yes or no

Post Posted: May 17, 19 18:02

- pbeardmore
I think Rich makes a good point re how useful the BIOS date/time is and if one were to introduce it as evidence, the caveats that he points out would have to be stated. The issue is, then, at what point do you get to so many caveats that the original data has little or no use and then, we are back to the question of why collect that info in the first place? The very action of collecting it is an indicator that it will have some evidential use/value: which, as pointed out, is questionable. Tricky one.


Not all information collected has evidential value. Some of it just raise questions, and so have investigative value.

There are also a number of questions that have to be answered for normal timestamps, relating to how long it was since the system synced time with an authoritative time server, and the accuracy that this would be expected to give, as well as how time was kept since that point in time, and what if any deterioration in accuracy this can be expected to have lead to.

Or, if we're lucky enough to get reliable external time logged somewhere on the system, and allow us to match that with internal time, and so get an estimate of how much out of synch system was.

One of the factors in such an analysis there would be if the system been powered down to a point where RTC is where system time is kept, and therefore the additional behaviour of that RTC becomes an issue. (I find a note that typical RTC crystals are temperature limited to less than 60 degrees centigrade -- so a system running hotter may have time-keeping issues. I also find a note that +- 1.7 seconds per day is expected at 25 degrees centigrade, and at 'extreme' temperatures (seems to be 'hot' gaming systems), errors of 13 seconds per day have been observed. Some RTCs have built in calibration for these situations ... but it's anyones guess if that's enabled in Windows or Linux or ... )

If such power down (G4?) has taken place, the RTC date and time may become interesting, as it provides a very rough estimate of drift since last power down or other moment when RTC was updated. As we don't know if this will become relevant, collecting RTC data as early as possible seems like a useful safeguard. (But see below for a reason it might be useless.)

In any case, without such analysis, we cannot say just how far from accurate time that system actually is. Without it, it becomes 'user XYZ downloaded the relevant web page at 19:54 ± ??hh:??mm:??ss. Just guessing that the error is so small that it can be ignored ... I'd call bad forensics. Just as bad as guessing that system time hasn't been reset, and not warning about a possible source of error.


Since Microsoft published the warning that prior to Windows 16 Server, Windows did not keep time well on its own (particularly important for traders and banking and payment stuff), forensic analysts really have to be prepared to answer 'well, what is the expected error in times reported'? I have not found any answer to that from Microsoft, except the max 5 minutes error allowed by domain-connected systems. That is, for non-domain client systems, we don't seem to have any idea.

MS published some tests, but as they were made on virtual Windows Server 2016 systems, they're probably 'best case' situations. Does anyone know if those tests have been repeated in client systems, especially for pre-2016/10 releases?

(I also have a big question mark chalked up for Windows 8, which was banned from at least one benchmarking community, because of problems with RTC. It's probably restricted to system running software that adjusts the base clock without reboot ... but I have not seen any technical explanation, so ... we may have yet another factor to account for. This could easily lead to hands-in-the-air "forget about RTC for anything useful" on systems running Windows, just because accounting for such software seems to be tricky and possibly even imponderable.)  
 
  

jaclaz
Senior Member
 

Re: Checking Bios time yes or no

Post Posted: May 18, 19 10:09

- pbeardmore
The issue is, then, at what point do you get to so many caveats that the original data has little or no use and then, we are back to the question of why collect that info in the first place? The very action of collecting it is an indicator that it will have some evidential use/value: which, as pointed out, is questionable.


Allow me to philosophically disagree.

There are tens of things that are recorded/logged/collected and that give not any real "certainty".

It's not like anyone will ever discuss each of them and the reasons why they were collected, data is simply data, it is not necessarily revealing anything or proving this or that theory.

It's only a matter of pragmatism, most investigators will log BIOS data/time without "attaching" to it any particular meaning.

If you don't, be prepared to be questioned on the matter, losing some time to explain why exactly you omitted taking note of that, since it costs nothing (in money or time) to take note of that, just do it and move on, not entirely unlike the wiping of disks to which images are saved:
www.forensicfocus.com/...c/t=13055/

More generally, unlike filesystem timestamps, the BIOS date/time is "volatile", i.e. it is the kind of non-repeatable investigation, if you don't record/log it when you boot the system, it cannot be re-checked later and this alone can be a reason (even if the data do not actually mean *anything*) for the other party to put your report in a "bad light".

The "current" RTC/BIOS clock time will be almost always synchronized with system time, most probably the only "real world" exception being a "dead" CMOS battery (in which case when booting the time will be the BIOS release date/time or a "default", like 1-1-1970 or similar) but I can easily invent Shocked a couple of exceptions:
1) the user may have booted the PC with another OS, not connected to the internet, changed the BIOS date/time and then forgot to set it back or reboot the computer
2) the PC might have been kept off (or not connected to the internet) for a relatively long period of time and there could be a significant enough to be noticeable "time drift" between the CMOS and the System (or NTP time)

Besides, depending on the OS, configuration settings may actually prevent the w32time service to sync, example:
docs.microsoft.com/en-...1(v=ws.10)



jaclaz
_________________
- In theory there is no difference between theory and practice, but in practice there is. - 
 
  

passcodeunlock
Senior Member
 

Re: Checking Bios time yes or no

Post Posted: May 19, 19 18:58

It's always a yes. The BIOS/RTC time has nothing to do with the analyzed data, it is part of the documentation for serving authenticity purposes.
_________________
Apple passcode unlock + decrypted filesystem dump, Android user locks unlock + physical dump with decrypted userdata partition. We provide our services world-wide, but we reserve the right for choosing which tasks we take and which we deny! 
 
  

Rich2005
Senior Member
 

Re: Checking Bios time yes or no

Post Posted: May 20, 19 17:06

I won't quote the above posts as it'll make this thread far too long....;)

But whilst saying yes to collection, you do both further describe problems with actually basing any opinion on the reading, and/or why it might not be right.

We could probably all go on and on listing further reasons not to rely on it, or why it shouldn't be taken at face value, or used to assert that an earlier timestamp of some kind is likely to be correct.

As for the merit to counsel knowing it.....that's a double edged sword. You could record/report and it could result in lots of explanation/argument in the box. Equally you could not record it and have the same issue (in both scenarios explaining why you can't rely on it as an indication historic timestamps are correct for all the reasons we've described and no doubt countless more). Either way, I think you should always be prepared to be questioned about timestamps, and whilst it's a horrible subject with endless possibilities, could inevitably crop up at any moment.

Whichever way you cut it, we all know you can't say with any confidence at all, that just because the clock is correct now, that any timestamps in the past are accurate. Equally, just because it's inaccurate at the time of examination, you can't infer that all the previous timestamps were inaccurate.

So, if times are significant, we're back to trying to properly investigate the time issue more thoroughly, and trying to to do the difficult task of trying to give indications of why the time might, or might not be, reliable.

I could argue that the capture, and reporting of the clock alone, is arguably misleading to non-forensics people, by virtue of the fact they might understandably make the logical leap that it's quoted to indicate the other timestamps they're seeing are likely to be reliable, and that, without sufficient explanation / explanatory notes, it potentially does more harm than good.

A better question might be "when WOULD you rely, or give any meaningful weight, to the RTC taken at the time of examination of a seized device"?  
 
  

passcodeunlock
Senior Member
 

Re: Checking Bios time yes or no

Post Posted: May 20, 19 19:50

- Rich2005

...
A better question might be "when WOULD you rely, or give any meaningful weight, to the RTC taken at the time of examination of a seized device"?


A good analyst would never rely on the RTC taken at the time of examination of a seized device. As I wrote before, the BIOS time / RTC serves documentation purposes only.
_________________
Apple passcode unlock + decrypted filesystem dump, Android user locks unlock + physical dump with decrypted userdata partition. We provide our services world-wide, but we reserve the right for choosing which tasks we take and which we deny! 
 
  

athulin
Senior Member
 

Re: Checking Bios time yes or no

Post Posted: May 20, 19 19:55

- Rich2005
I could argue that the capture, and reporting of the clock alone, is arguably misleading to non-forensics people, by virtue of the fact they might understandably make the logical leap that it's quoted to indicate the other timestamps they're seeing are likely to be reliable, and that, without sufficient explanation / explanatory notes, it potentially does more harm than good.


I don't think you raised that question. You asked about collecting the information ... not including it in the final report. My answer addresses the collecting part only.

As for making more harm than good ... you must be able to say 'this is hard evidence, and there cannot be any technical doubt about it', or 'this evidence may be used only under the assumption that ... ' etc. In some cases, you must say 'evidence as to ... could not be obtained with any degree of confidence, and so this question has not been answered at all in this report.' Or words to that effect.

As to writing anything without sufficient explanation or without explanatory notes ... in my world that's never a option.

A better question might be "when WOULD you rely, or give any meaningful weight, to the RTC taken at the time of examination of a seized device"?


When it is demonstrably false, or turns out to be so out of synch with other evidence that the possibility that it has been used as 'correct' on boot time must be considered. (Basically, when it calls other evidence or the base for other evidence into question.) This should force the analyst to ensure that the base for the time line or important parts of it do not solely rely on the assumption RTC being correct on boot, but on stronger evidence such as logs from NTP synchs, or such.

Actually, such assurance should really be part of standard operating procedure as part of evaluating the evidentiary value of any timestamp in an environment that does not synch timestamps as soon as the system is turned on (or, equivalently, started from a power state that does not maintain internal timers).

And it does not seem impossible that it may be important to verify that the battery driving a battery-powered RTC is indeed within operational limits. If it isn't, ... well, that seems to establish doubt that all timestamps are indeed correct ... so extra work needs to be spent on limiting such doubts.  
 
  

jaclaz
Senior Member
 

Re: Checking Bios time yes or no

Post Posted: May 21, 19 09:19

When I booted this PC this morning its RTC was showing 21/05/2019 08:12.54, roughly at the same time another PC surely connected to an internet time service was showing 21/05/2019 08:13.01 UTC.

Now let's see what kind of logical (or illogical Shocked ) leaps can anyone derive from the above statement, intentionally void of any comment, explanation or corollary, only a simple, straightforward statement . Rolling Eyes

jaclaz
_________________
- In theory there is no difference between theory and practice, but in practice there is. - 
 

Page 2 of 4
Page Previous  1, 2, 3, 4  Next