Forums
Main Category
General (Technical,...
how to correct for ...
 
Notifications
Clear all

how to correct for multiple timezones in forensic image

 
General (Technical, Procedural, Software, Hardware etc.)
Last Post by xandstorm 9 years ago
3 Posts
2 Users
0 Reactions
583 Views
RSS
xandstorm
 xandstorm
(@xandstorm)
Trusted Member
Joined: 9 years ago
Posts: 61
Topic starter 11/10/2016 12:28 am  

Hi guys,

Currenlty examining a forensic image in which multiple timezones are identified.

There are 2 user accounts configured

1. A domain related user account and;
2. a local device related user account.

The current control set states the time zone offset is UTC -240.
However, there is also another time zone offset identiefied that states a UTC -480 offset.

My problem is, when correcting for the UTC -240 timezone, some time stamps make no sense at all. Ie. MAC times where the Accessed timestamp is earlier in time then the Created timestamp. Or e-mails that were received before they were sent.

There are some indications that the domain related user account is most likely associated with the UTC -240 offset and the local user with the UTC -480 offset. But this can not be substantiated in a forensically sound manner.

When booting up the accounts in a VM, both time zones appear to be set to a UTC -240 timezone.

My question is if anyone here has encountered a similar situation before, and would it be possible to link a specific time zone offset to a specific account in some way?

Thanks guys.

Rg,
Albert


   
Quote
Bunnysniper
 Bunnysniper
(@bunnysniper)
Reputable Member
Joined: 13 years ago
Posts: 259
11/10/2016 2:24 pm  

Hi guys,

Currenlty examining a forensic image in which multiple timezones are identified.

"Daylight time savings" (should be the correct english term AFAIK) might be the solution for your problem. Where is the DC geographically located and where the client?

best regards,
Robin


   
ReplyQuote
xandstorm
 xandstorm
(@xandstorm)
Trusted Member
Joined: 9 years ago
Posts: 61
Topic starter 12/10/2016 5:58 am  

Hi Robin,

Thank you for your feedback.

Both DC and client are physically located in the Atlantic Standard Timezone (Caribbean region).

It is the DC related user account that is most likely associated with the UTC -240 timezone and the local user acount is most likely associated at some point in time with the UTC -480 timezone. But like I mentioned before, I can not substantiate that in a forensically sound manner at this point in time.

There is no DST offset appliclable for the Caribbean region, and also the time discrepancies are by far exeeding any plausible DST offset.

It is a really awkward, and I'm seriously looking into the possibility that this is a forged and / or manipulated disk image.

I really see no other option for a single device having more than 1 time zone setting offset.

Rg,
Albert


   
ReplyQuote
Forum Jump:
  Previous Topic
Next Topic  
Share: