Newbie question on ...
 
Notifications
Clear all

Newbie question on file date/time stamps and time zones

7 Posts
3 Users
0 Likes
563 Views
(@tvdavis)
Posts: 14
Active Member
Topic starter
 

Hello!

I'm hoping someone can help me with a really basic question. I was trying out the sample problem for the CCE exam, which involves a floppy disk that has had it's contents deleted & has been formatted. The expected case results explanation states that the examiner should be able to determine from the document metadata when the deleted documents were last saved, and provides the exact modification date/time the examiner should have gotten during the examination.

Please note that no time zone information was provided along with the case scenario.

Using several tools, I was able to data carve the deleted documents from unallocated space, looked at the metadata for the files, and have the proper date the documents were modified, but the time stamp is off by several hours. Since I was not provided with the time zone this evidence was supposed to be confiscated from, I do not know what time zone to set the forensic workstation to in order to get the correct results. I assumed that the time zone might be GMT/UTC, but that setting also gave incorrect results.

To make this long story short Is there a way within WinHex or another utility for me to discover what the original time zone setting was and/or the local file modification date on a file deleted from a floppy disk? I know I can use the registry information on a HDD, but what do I do with a floppy?

I hope that since this is NOT part of the actual CCE exam that someone will be able to give me a hint. I have looked through my class notes and every forensic book I have & simply cannot figure this out.

Thanks in advance for any assistance you can provide.

TVD

 
Posted : 21/01/2006 2:21 am
(@bjgleas)
Posts: 114
Estimable Member
 

From what I remember about the CCE, they don't really deal with time zones. They expect you to check the system time (if available), and make note of any differences between system time and real time. For the most part, it appears that the CCE assumes everything happens in the scenario's local time zone.

As far as I can also tell, the examiners grading the problems understand the time discrepancies between the real time and the scenario time (for example, the scenario might indicate that the events took place last week, but all the date/time stamps are months or years before you were given the case). The solution to all of this is to document, document, document.

According to the information on the website, it appears that the graders are more concerned with the process and documentation rather than finding everything. They make it clear that just turning in a list of deleted files is unacceptable. I would address the time zone issue, and state that unless determined or indicated otherwise, the clock is correct and set to the local time zone.

Your mileage may vary.

bj

 
Posted : 21/01/2006 11:59 am
(@bjgleas)
Posts: 114
Estimable Member
 

Here is a paper from Guidence Software discussing time zones in computer investigations, and some of the issues involved

http//www.guidancesoftware.com/corporate/downloads/whitepapers/Timezonewpv3.pdf

bj

 
Posted : 21/01/2006 8:02 pm
(@tvdavis)
Posts: 14
Active Member
Topic starter
 

Thank you bj for your quick responses! I am going to read the Guidance Software paper now.

I must say that I do wonder why the CCE sample bothered stating that I should have found files with specific time stamps if they aren't that important.

Now that you mention it, I do remember the instructor for my forensics course stating that your documented methodology used during the examination carries more weight than whether or not you find every single piece of evidence.

Thanks again!

TVD

 
Posted : 22/01/2006 1:11 am
(@bjgleas)
Posts: 114
Estimable Member
 

I must say that I do wonder why the CCE sample bothered stating that I should have found files with specific time stamps if they aren't that important.

The time stamps are important, the time zone, not so much. The time stamps are relative to the scenario time, in the time zone that the incident occurred in.

FAT12 (as found on floppies), doesn't save time zone informtion (unlike NTFS which converts everything to GMT), so you would have to get the time zone information from the original machine (which may or may not be available). Assuming you can not access the machine, the best you can do is assume that the clock was accurate and set for the proper time zone, and see if the date/time stamps correspond with any witness testimony you receive. And document everything.

bj

 
Posted : 22/01/2006 9:55 am
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

All,

A good explanation of this for Windows systems can be found here
http//msdn.microsoft.com/library/default.asp?url=/library/en-us/sysinfo/base/file_times.asp

On another note, from the original poster (tvdavis)
"..I do not know what time zone to set the forensic workstation to in order to get the correct results…"

Why would you want to do that? Do you want to go setting your forensic workstation timezone settings everytime you get a new case in? That seems kind of cumbersome.

Is it part of your SOP?

Harlan

 
Posted : 22/01/2006 6:29 pm
(@tvdavis)
Posts: 14
Active Member
Topic starter
 

Hello again,

Harlan Thank you for the link! That was a very straightforward explanation of time stamps on both NTFS and FAT.

In fact, the explanation for timestamps under FAT provided in the article kind of explains my original problem. I was over-analyzing the situation, and assuming that since I did not have access to the original system, they would be expecting me to provide the proper time zone so that my time stamp results would match their expected results. My SOP is to select the local time zone from which the evidence was collected within my forensics tool (usually FTK) when adding new evidence to the case, but not to alter the forensic workstation's time zone. I just thought I was missing something since they provided the EXACT times I was supposed to end up with.

In a nutshell I was confused. )

bj

Thank you for your help as well. I had a pretty good understanding of how the file systems worked, but not how to satisfy the requirements for the CCE example. I've taken your advice to heart, and will document everything extensively when I take the actual exam.

Thanks so much to you both!

TVD

 
Posted : 23/01/2006 5:40 am
Share: