Linux Timestamps, Oh boy!

by

Timestamps are critical for analysts; they usually deal with different filesystems and understanding how the file timestamps work on each is crucial to what they do.

If you do an online search for linux timestamps, you’ll get ton of information but the idea here is to put together different common file operations such as move, copy, download and their effect on timestamps. This can be a helpful guide for anyone who is trying to figure out what might have happened to a file based on timestamp analysis.

Abbreviations used throughout this article:

  • m – modify time
  • a – access time
  • c – change time
  • cr – creation time

For this article, the experiments were performed on a RHEL 6 Ext4 file system.

c time

Change time is the metadata change time. As the name indicates, it reflects the metadata modification of a file (e.g. chown, rename).


Get The Latest DFIR News

Join the Forensic Focus newsletter for the best DFIR articles in your inbox every month.


Unsubscribe any time. We respect your privacy - read our privacy policy.

cr time

Creation time is one of the most critical timestamps for an analyst. Few points to keep in mind while searching for crtime in linux:

  1. Ext3 filesystem only supports three timestamps – m, a and c.
  2. Ext4 added the support to fourth timestamp that is cr time but the stat utility still shows only three timestamps.
  3. The most common timestomping technique noticed to be used by the attackers is making use of touch command as touch malicious_file -r existing_legit_file. This will create a file malicious_file with the m and a time  same as existing_legit_file. ma times can also be changed individually, for example,  touch -m -d ‘1 Feb 2007 10:31′ malicious_file; touch -a -d ’22 Jan 2008 11:09’ malicious_file.
  4. An analyst can view the crtime on Ext4 filesystem using debugfs, example: sudo debugfs -R “stat /home/user/malicious_file” /dev/vda | grep crtime <The mount point /dev/vda could vary in each case> (Reference 1)

On a side note, don’t confuse the ls -U option in RHEL with the one in OS X that shows the cr time.

In Linux, man ls

“ -U     do not sort; list entries in directory order”

In OS X, man ls

“-U      Use time of file creation, instead of last modification for sorting (-t) or long output (-l).”

a time

Access time appeared to be the most unreliable and unpredictable timestamp. It changes as you expect but once per file per some given time. After that, no matter how many times you perform the same or other operation on the same file that should change it, it doesn’t. A quick research said, access time changes once/day but this has not been tested here. (Reference 2)

Therefore, it is unwise to guess a file’s access operation (such as doing cat or GET on file) by looking at the access time. It was tested on Ubuntu 14.04.1 LTS, Ext4.

File Download – Wget vs Curl

  • Wget

Example: wget http://anysite.com/file

    1. Downloaded file preserved the m time.
    2. Downloaded file’s c time changed to the time when download operation is completed.
  • Curl

Example: curl –remote-name http://anysite.com/file

    1. Downloaded file did NOT preserve the m time.
    2. Downloaded file’s mc changed to the time when download operation is completed.

File Download/Upload – SCP

  • SCP from remote to local (downloading)
    1. Resulting downloaded file’s mac times change to the time when download operation is completed.
    2. The a time of the original file changes to the time when download operation is completed. (Note: same a time change rule applies – therefore it may or may not change)
  • SCP from local to remote (uploading)
    1. Resulting downloaded file’s mac times change to the time when upload operation is completed.
    2. The a time of the original file changes to the time when upload operation is completed. (Note: same a time change rule applies – therefore it may or may not change)

File Copy vs Move

  • Copying a file to a directory
    1. Inherits the ownership from the directory it is copied to.
    2. The file’s mac times change to the time when the file is copied.
    3. The directory’s mc times change to the time when the file is copied.
  • Moving a file to a directory
    1. Does not inherit the ownership from the directory it is copied to
    2. The file’s c time changes to the time when the file is moved.
    3. The directory’s mc times change to the time when the file is moved.

References

  1. http://unix.stackexchange.com/questions/91197/how-to-find-creation-date-of-file
  2. http://unix.stackexchange.com/questions/104207/file-access-time-not-updating-in-ubuntu-12-04

Leave a Comment

Latest Videos

Forensic Focus

Forensic Focus
Si and Desi talk to Monica Harris, Project Business Manager at Cellebrite, about current eDiscovery challenges. They cover some of the reoccurring pain points customers experience during the integration stage, the difficulties of collecting mobile data for investigations, and the development of legal holds and how they influence digital forensic cases. This episode also touches on the role of machine learning in eDiscovery and how large amounts of data can be reformatted for the review stage of a case.

Si and Desi talk to Monica Harris, Project Business Manager at Cellebrite, about current eDiscovery challenges. They cover some of the reoccurring pain points customers experience during the integration stage, the difficulties of collecting mobile data for investigations, and the development of legal holds and how they influence digital forensic cases.

This episode also touches on the role of machine learning in eDiscovery and how large amounts of data can be reformatted for the review stage of a case.

YouTube Video UCQajlJPesqmyWJDN52AZI4Q_JuNuKXseh04

Cellebrite’s Solutions To Current eDiscovery Challenges

Forensic Focus 33 views 7th June 2023 12:05 pm

In this Oxycast webinar, Ryan, from the Oxygen Forensic Training team, discusses the evolution and impact of dating apps, with a focus on forensic analysis. Ryan also demonstrates how you can analyze popular dating applications using the Oxygen Forensic Detective software.

In this Oxycast webinar, Ryan, from the Oxygen Forensic Training team, discusses the evolution and impact of dating apps, with a focus on forensic analysis. Ryan also demonstrates how you can analyze popular dating applications using the Oxygen Forensic Detective software.

YouTube Video UCQajlJPesqmyWJDN52AZI4Q_90k-LHOjmcE

Dating Application Analysis

Forensic Focus 70 views 30th May 2023 12:07 pm

In this episode of the Forensic Focus podcast, Desi and Si discuss different online programming courses and what they think about the popular platform, Udemy. They also talk about Flipper, Dev boards, and Raspberry Pi, and delve into the fascinating phenomenon of running the classic game Doom on unlikely devices. Throughout the episode, Desi and Si share their digital forensics expertise, referencing some of the cases they have been working on and highlighting particular methodologies and technologies that have an impact on cybersecurity. Show Notes: 100 Days of Code: The Complete Python Pro Bootcamp for 2023 - https://www.udemy.com/course/100-days-of-code/ Domestika - https://www.domestika.org/en MIT OpenCourseWare - https://www.youtube.com/@mitocw MasterClass - https://www.masterclass.com/ Raspberry Pi 400 Complete Kit - https://core-electronics.com.au/raspberry-pi-400-kit.html Flipper Discord - https://discord.com/invite/flipper Flipper Zero - https://flipperzero.one/ This Programmer Figured Out How to Play Doom on a Pregnancy Test - https://www.popularmechanics.com/science/a33957256/this-programmer-figured-out-how-to-play-doom-on-a-pregnancy-test/ Here’s a dude playing Doom Eternal on his fridge - https://www.polygon.com/2020/10/13/21514933/doom-eternal-refrigerator-door-samsung-smart-refrigerator-xbox-game-pass-richard-mallard Doom hacker gets Doom running in Doom - https://www.pcgamer.com/doom-hacker-gets-doom-running-in-doom/ Doom Running On A Calculator Powered By Old Potatoes - https://kotaku.com/doom-running-on-a-calculator-powered-by-old-potatoes-1845374069 GoldenEra - https://www.imdb.com/title/tt11753760/ Racing the Beam - https://en.wikipedia.org/wiki/Racing_the_Beam High Score (TV series) - https://en.wikipedia.org/wiki/High_Score_(TV_series) Microcontroller Courses (Udemy) - https://www.udemy.com/topic/microcontroller/ The story of Final Fantasy XIV’s renegade do-good modders - https://www.pcgamesn.com/final-fantasy-xiv/ffxiv-modders-renegade-do-gooders Logical fallacies - https://yourlogicalfallacyis.com/

In this episode of the Forensic Focus podcast, Desi and Si discuss different online programming courses and what they think about the popular platform, Udemy. They also talk about Flipper, Dev boards, and Raspberry Pi, and delve into the fascinating phenomenon of running the classic game Doom on unlikely devices.

Throughout the episode, Desi and Si share their digital forensics expertise, referencing some of the cases they have been working on and highlighting particular methodologies and technologies that have an impact on cybersecurity.

Show Notes:

100 Days of Code: The Complete Python Pro Bootcamp for 2023 - https://www.udemy.com/course/100-days-of-code/

Domestika - https://www.domestika.org/en

MIT OpenCourseWare - https://www.youtube.com/@mitocw

MasterClass - https://www.masterclass.com/

Raspberry Pi 400 Complete Kit - https://core-electronics.com.au/raspberry-pi-400-kit.html

Flipper Discord - https://discord.com/invite/flipper

Flipper Zero - https://flipperzero.one/

This Programmer Figured Out How to Play Doom on a Pregnancy Test - https://www.popularmechanics.com/science/a33957256/this-programmer-figured-out-how-to-play-doom-on-a-pregnancy-test/

Here’s a dude playing Doom Eternal on his fridge - https://www.polygon.com/2020/10/13/21514933/doom-eternal-refrigerator-door-samsung-smart-refrigerator-xbox-game-pass-richard-mallard

Doom hacker gets Doom running in Doom - https://www.pcgamer.com/doom-hacker-gets-doom-running-in-doom/

Doom Running On A Calculator Powered By Old Potatoes - https://kotaku.com/doom-running-on-a-calculator-powered-by-old-potatoes-1845374069

GoldenEra - https://www.imdb.com/title/tt11753760/

Racing the Beam - https://en.wikipedia.org/wiki/Racing_the_Beam

High Score (TV series) - https://en.wikipedia.org/wiki/High_Score_(TV_series)

Microcontroller Courses (Udemy) - https://www.udemy.com/topic/microcontroller/

The story of Final Fantasy XIV’s renegade do-good modders - https://www.pcgamesn.com/final-fantasy-xiv/ffxiv-modders-renegade-do-gooders

Logical fallacies - https://yourlogicalfallacyis.com/

YouTube Video UCQajlJPesqmyWJDN52AZI4Q_5f72B6DD5wk

Programming Languages, Flipper And Gaming

Forensic Focus 74 views 24th May 2023 11:43 am

Load More... Subscribe

Latest Articles

Presentation On Video Evidence Principles At The European Parliament
News

Presentation On Video Evidence Principles At The European Parliament

ByAmpedSoftwareJun 8, 2023
Cellebrite’s Solutions To Current eDiscovery Challenges
Podcast

Cellebrite’s Solutions To Current eDiscovery Challenges

ByForensic FocusJun 7, 2023
ADF Solutions Announces Sponsorship And Speaking Session At Techno Security East
News

ADF Solutions Announces Sponsorship And Speaking Session At Techno Security East

ByadfsolutionsJun 6, 2023
Why DFIR Is The New Frontier Of Cybersecurity
News

Why DFIR Is The New Frontier Of Cybersecurity

ByBinalyzeJun 5, 2023
Magnet Forensics Now Offering Training In New Online Self-Paced Microlearning Format
News

Magnet Forensics Now Offering Training In New Online Self-Paced Microlearning Format

ByMagnetForensicsJun 2, 2023
Digital Forensics Round-Up, June 01 2023
News

Digital Forensics Round-Up, June 01 2023

ByForensic FocusJun 1, 2023
Share to...
BufferCopyFlipboardHacker NewsLineLinkedInMessengerMixPinterestPocketPrintRedditSMSTelegramTumblrVKWhatsAppXingYummly