Detection Of Backdating The System Clock In MacOS

by Oleg Skulkin & Igor Mikhaylov

Recently we received a good question from one of our DFIR mates: “How can one detect backdating of the system clock forensicating macOS?”. This is a really good question, at least for us, so we decided to research it. If we are talking about Windows system clock backdating there are a lot of information to help, for example, this SANS white paper by Xiaoxi Fan, but there is nothing about macOS.

Let’s start from macOS timestamps as they are very interesting and have a lot of evidentiary value. Let’s start from running mdls command on a sample file:

We must note that it’s not a simple file, it’s a Microsoft Word file, so it has even more timestamps than a regular file. If you start from the top of the figure, you may have noticed doc/docx-typical timestamps: content creation (kMDItemContentCreationDate and kMDItemContentCreationDate_Ranking) and content modification (kMDItemContentModificationDate). These timestamps are self-explanatory, so let’s go further.


Get The Latest DFIR News

Join the Forensic Focus newsletter for the best DFIR articles in your inbox every month.


Unsubscribe any time. We respect your privacy - read our privacy policy.

Next timestamp is Date Added (kMDItemDateAdded), it’s date and time the file was added to the directory. There is also a date only timestamp – kMDItemDateAdded_Ranking.

Let’s continue with file system timestamps: content changed (kMDItemFSContentChangeDate) and created (kMDItemFSCreationDate) – pretty self-explanatory too, right?

As you may already noticed, there is another interesting timestamp – kMDItemInterestingDate_Ranking. Unfortunately, we are not able to tell you what exactly does it mean, but if you can, please post you suggestions in comments or Twitter!

Finally, there are two most valuable timestamps left: kMDItemLastUsedDate and kMDItemLastUsedDate_Ranking. These timestamps indicate the date and time or just date of file’s last usage.

As you can see, there is a huge number of timestamps in macOS, but as you still remember, we are going to talk about detecting of backdating the system clock in macOS.

This research has been conducted on the MacBook Air running macOS High Sierra (10.13.2).

/private/var/db/timed

If you are familiar with *nix systems, you might already guessed that timed is a macOS daemon watching the system time. Its configuration is stored in a plist file – com.apple.timed.plist under /private/var/db/timed. But if the system clock has been backdated, there is another com.apple.timed.plist file, this time under /private/var/db/timed/Library/Preferences. Its timestamps show you the exact date and time the clock has been backdated to! Look at the following figure:

As you can see, in our case the clock was backdated to 2016-11-01 09:16:51 (UTC). This piece of information may help you a lot in further search, for example, you can create a timeline with your favorite tool and look for user activity under this date.

/private/var/log/system.log

Of course, like event logs in Windows, logs in macOS, and, of course, system.log, will contain a good amount of evidence of the system clock backdating, here is an example:

As you can see in the figure, there is a very strange time change from January to November. And as we already know, our bad guys change the clock to this date, November 1.

/private/var/log/install.log

Another useful log file is install.log. It’s located in the same directory as system.log, but its timestamps are even better:

On the figure you can see clear evidence of backdating from 01/21/2018 to 11/01/2016.

/var/db/uuidtext/

If you are into macOS forensics, you know what this folder is – unified logs! Sarah Edwards has a nice post about this type of log, and these logs may be a source of backdating evidence too:

/.DocumentRevisions-V100/.cs/ChunkStoreDatabase

Another source of backdating artifacts is the ChunkStoreDatabase. It contains “chunks” used to store a file’s previous version data. Look at the following figure:

We are forensicating CSChunkTable. As you can see in the figure, the first record in the timeStamp column has “1516469407” value – it can be converted from Unix Epoch to human readable as Saturday, 20 January 2018 17:30:07 (UTC), but what about the second value? It’s “1477990845”, and can be converted to Tuesday, 1 November 2016 09:00:45 (UTC). Not good, right?

/Users/<username>/.bash_sessions

If you suspect has been using Terminal after backdating, you are likely to find some nice forensic artifacts under /Users/<username>/.bash_sessions:

The most interesting files here are those with .historynew extension, as they contain commands typed by the suspect in the backdated period. For example, C8CD29B6-87A1-4E02-B0F9-813E6EF05DA4.historynew has the following content:

ls -al /
cd /Users/
ls -al
cd olegskulkin/
ls -al

Timestamps

We think you have already guessed why we have started from macOS timestamps. If you know to which date and time the system clock have been backdated you can use timelining to find files and folders created, modified or used in this time period. Let’s look at Secrets.rtf:

As you can see it was created in September 2017, but it was used and its contents were modified in November 2016. We bet this file contains or contained very valuable evidence!

Summary

Despite the fact there is a lot of information online regarding detecting system clock backdating in Windows, there is no info about the same topic for macOS. With this research we have attempted to solve this problem. Of course, the list presented in this article isn’t full and may vary from version to version of macOS.

Happy forensicating!

About the authors

Oleg Skulkin, GCFA, MCFE, ACE, is a DFIR enthusional (enthusiast + professional), Windows Forensics Cookbook and Practical Mobile Forensics co-author.

Igor Mikhaylov, MCFE, ACE, OSFCE, is a digital forensic examiner with more than 20 years of experience and Mobile Forensics Cookbook author.

Leave a Comment

Latest Videos

In this episode of the Forensic Focus podcast, Si and Desi explore how artificial intelligence is being leveraged to uncover crucial evidence in investigations involving child sexual abuse material (CSAM) and examine the importance of exercising caution when implementing these tools. 

They also discuss a recent murder case in which cyber experts played a vital role in securing a conviction, and explore the unique challenges associated with using digital evidence as an alibi.

Show Notes:

A Practitioner Survey Exploring the Value of Forensic Tools, AI, Filtering, & Safer Presentation for Investigating Child Sexual Abuse Material (CSAM) - https://dfrws.org/wp-content/uploads/2019/06/2019_USA_paper-a_practitioner_survey_exploring_the_value_of_forensic_tools_ai_filtering_safer_presentation_for_investigating_child_sexual_abuse_material_csam.pdf

Man charged with NI murder ‘faked live stream to provide alibi’ (The Guardian) - https://www.theguardian.com/uk-news/2023/feb/02/man-charged-with-ni-faked-live-stream-to-provide-alibi

A YouTuber accused of murder faked a 6-hour livestream to produce an alibi (Sportskeeda) - https://www.sportskeeda.com/esports/news-a-youtuber-accused-murder-faked-6-hour-livestream-produce-alibi

European Interdisciplinary Cybersecurity Conference (EICC) 2023 - https://www.forensicfocus.com/event/european-interdisciplinary-cybersecurity-conference-eicc-2023/#more-493234

YouTuber reportedly faked GTA livestream to have an alibi while he committed murder (Dexerto) - https://www.dexerto.com/entertainment/youtuber-reportedly-faked-gta-livestream-to-have-an-alibi-while-he-committed-murder-2052974/

Forensic Europe Expo - https://www.forensicfocus.com/event/forensic-europe-expo/#more-493225

In this episode of the Forensic Focus podcast, Si and Desi explore how artificial intelligence is being leveraged to uncover crucial evidence in investigations involving child sexual abuse material (CSAM) and examine the importance of exercising caution when implementing these tools.

They also discuss a recent murder case in which cyber experts played a vital role in securing a conviction, and explore the unique challenges associated with using digital evidence as an alibi.

Show Notes:

A Practitioner Survey Exploring the Value of Forensic Tools, AI, Filtering, & Safer Presentation for Investigating Child Sexual Abuse Material (CSAM) - https://dfrws.org/wp-content/uploads/2019/06/2019_USA_paper-a_practitioner_survey_exploring_the_value_of_forensic_tools_ai_filtering_safer_presentation_for_investigating_child_sexual_abuse_material_csam.pdf

Man charged with NI murder ‘faked live stream to provide alibi’ (The Guardian) - https://www.theguardian.com/uk-news/2023/feb/02/man-charged-with-ni-faked-live-stream-to-provide-alibi

A YouTuber accused of murder faked a 6-hour livestream to produce an alibi (Sportskeeda) - https://www.sportskeeda.com/esports/news-a-youtuber-accused-murder-faked-6-hour-livestream-produce-alibi

European Interdisciplinary Cybersecurity Conference (EICC) 2023 - https://www.forensicfocus.com/event/european-interdisciplinary-cybersecurity-conference-eicc-2023/#more-493234

YouTuber reportedly faked GTA livestream to have an alibi while he committed murder (Dexerto) - https://www.dexerto.com/entertainment/youtuber-reportedly-faked-gta-livestream-to-have-an-alibi-while-he-committed-murder-2052974/

Forensic Europe Expo - https://www.forensicfocus.com/event/forensic-europe-expo/#more-493225

YouTube Video UCQajlJPesqmyWJDN52AZI4Q_7QiFTiuY7Vw

AI In CSAM Investigations And The Role Of Digital Evidence In Criminal Cases

Forensic Focus 22nd March 2023 12:44 pm

Throughout the past few years, the way employees communicate with each other has changed forever.<br /><br />69% of employees note that the number of business applications they use at work has increased during the pandemic.<br /><br />Desk phones, LAN lines and even VOIP have become technologies of the past workplace environment as employees turn to cloud applications on their computers and phones to collaborate with each other in today’s workplace environment.<br /><br />Whether it’s conversations in Teams, file uploads in Slack chats, or confidential documents stored in Office 365, the amount of data stored and where it is stored, is growing quicker than IT and systems administrators can keep up with.<br /><br />Corporate investigators and eDiscovery professionals need to seamlessly collect relevant data from cloud sources and accelerate the time to investigative and discovery review.<br /><br />With the latest in Cellebrite’s remote collection suite of capabilities, investigators and legal professionals can benefit from secure collection with targeted capabilities for the most used workplace applications.<br /><br />Join Monica Harris, Product Business Manager, as she showcases how investigators can:<br /><br />- Manage multiple cloud collections through a web interface<br />- Cull data prior to collection to save time and money by gaining these valuable insights of the data available<br />- Collect data from the fastest growing cloud collaboration applications like Office365, Google Workspace, Slack and Box<br />- Login to a single source for workplace app collection without logging into every app and pulling data from multiple sources for every employee<br />- Utilize a single unified collection workflow for computer, mobile and workplace cloud applications without the need to purchase multiple tools for different types of collections – a solution unique to Cellebrite’s enterprise solution capabilities

Throughout the past few years, the way employees communicate with each other has changed forever.

69% of employees note that the number of business applications they use at work has increased during the pandemic.

Desk phones, LAN lines and even VOIP have become technologies of the past workplace environment as employees turn to cloud applications on their computers and phones to collaborate with each other in today’s workplace environment.

Whether it’s conversations in Teams, file uploads in Slack chats, or confidential documents stored in Office 365, the amount of data stored and where it is stored, is growing quicker than IT and systems administrators can keep up with.

Corporate investigators and eDiscovery professionals need to seamlessly collect relevant data from cloud sources and accelerate the time to investigative and discovery review.

With the latest in Cellebrite’s remote collection suite of capabilities, investigators and legal professionals can benefit from secure collection with targeted capabilities for the most used workplace applications.

Join Monica Harris, Product Business Manager, as she showcases how investigators can:

- Manage multiple cloud collections through a web interface
- Cull data prior to collection to save time and money by gaining these valuable insights of the data available
- Collect data from the fastest growing cloud collaboration applications like Office365, Google Workspace, Slack and Box
- Login to a single source for workplace app collection without logging into every app and pulling data from multiple sources for every employee
- Utilize a single unified collection workflow for computer, mobile and workplace cloud applications without the need to purchase multiple tools for different types of collections – a solution unique to Cellebrite’s enterprise solution capabilities

YouTube Video UCQajlJPesqmyWJDN52AZI4Q_g6nTjfEMnsA

Tips And Tricks Data Collection For Cloud Workplace Applications

Forensic Focus 20th March 2023 12:00 pm

This error message is only visible to WordPress admins

Important: No API Key Entered.

Many features are not available without adding an API Key. Please go to the YouTube Feed settings page to add an API key after following these instructions.

Latest Articles

Share to...