Hey,
I hope you have the patients to read my post and answer the questions as i am just starting out learning this stuff and do not have any practical experience yet.
I am studying digital forensics at the moment and i am practicing on some images. Current image i am looking at has 3 partitions. Partition 1, 1.9GB, Partition 2, 100Mb, Partition 3, 29GB. I am trying to create a timeline based on when the OS was installed, when it was last turned on/shutdown, when it was last logged in, connected to a network, etc. etc.
Q1. I am looking at Partition 3 now and in the InstallDate registry key it says the install date = 0x528A0FBB (1384779707) which is Mon, 18 November 2013 @ 130147 UTC (used DECODE to get this, have not verified with manual results)
Image of registry value http//
While the $boot, $logfile and $mft timestamps all have a creation date 7 hours ahead of the above time at 18/11/2013 @ 203350 (calculated manually and based on systems clock set at GMT standard Time)
Image of $ files timestamphttp//
I would of thought that the InstallDate registry key value and the $ files timestamps should be the same? Or am i not understanding this correctly? It is confusing me and preventing me from getting the start of my timeline correct.
Q2. What is the significance of there being multiple $MFT, $LogFile and %bootfiles all dated in 2005 with the same timestamp? I know the red X signifies the files are non recoverable but i do not know why the image would have multiple copies displayed.
Q3. If according to registry keys the last Log in time was more recent than the last shutdown time of the machine, would i be right in saying that the computer was not shutdown properly (I.e the power cable was plugged out) therefore the registry did not have time to update?
Best Regards
Nirnias (hopefully a future forensics specialist)
When posting questions that are related to a homework assignment, it is polite to be a bit more explicit as such. Teachers can get really mad if you go to Forensic Focus to have others do your homework for you. Some users of Forensic Focus don't want any homework questions at all, and may get mad as well.
That said, here are some tidbits to think about. I won't give you the answers, obviously, but a kick in the right direction may be helpful.
Q1 Are NTFS metadata files only created when the OS is installed? If they aren't, what would you expect to see?
Q2 Your second screenshot is not viewable, so I got nothing here.
Q3 Rather than answer this, my advice is to just test it. Computer forensics is a scientific discipline. You have a theory, now test it. Boot up a computer (or VM), log in, pull the plug, and analyze the relevant timestamps. Then try a normal login and shutdown, and analyze the relevant timestamps.
Thank you for your reply and advice. The forensic focus forum was mentioned by our lecturers and we were encouraged to sign up for it. And we were told that a lot of them read the forums regularly so I am not trying to get help doing an assignment and try to circumvent what I am supposed to learn. My lecturers that would usually steer me in the right direction with this are unavailable until next week and my posts in the class forum have gone unanswered.
Hence why I came here. The timeline is just the very start I have already found a lot of relevant stuff and written up a report. I only asked about what I have been stuck on since last Tuesday to ensure the start of the timeline was accurate.
I thank you for helpful input and hopefully it will aid me in figuring this out.
I would of thought that the InstallDate registry key value and the $ files timestamps should be the same? Or am i not understanding this correctly?
In what situations is the InstallDate set? List *all* occasions. (Think normal install, re-install, upgrade, re-format, … and so on)
When are the timestamps of the three files set? Again, list *all* occasions.
Is there any combination of occasions that fit your scenario? If several, list them in order of likelihood, assuming 'normal' operations.
Q2. What is the significance of there being multiple $MFT, $LogFile and %bootfiles all dated in 2005 with the same timestamp? I know the red X signifies the files are non recoverable but i do not know why the image would have multiple copies displayed.
What *could* be the significance? What hypothetical sequence of operations would or could produce the result your seeing (first, ignore the results from Q1, and consider the problem entirely on its own. second, take Q1 results into account – assuming you refer to the same file system, of course. Next, how do you test those hypotheses? (If you can't test them … they remain hypotheses, which may be little but guesses based on experience.)
Q3. If according to registry keys the last Log in time was more recent than the last shutdown time of the machine, would i be right in saying that the computer was not shutdown properly (I.e the power cable was plugged out) therefore the registry did not have time to update?
What assumptions are you working under? (One seems to be that you assume that you're looking a true data.) Can you verify those assumptions? Or don't you need to?
Repeat as before consider each single piece of evidence, and list the situations that a) cause it to be set correctly, and b) fail to be set correctly and leaving 'old' evidence in place. Then, put it all together, and see if it still makes sense. (Query Have you considered the possibility that you're looking at a live image instead of a post-mortem one? Perhaps you know which is it – in that case, consider the possibility that whoever gave you the image may not have the correct information … which unfortunately happens occasionally in real life.)
As for your hypothesis about computer not being shutdown properly … can you test that hypothesis? What other traces would such an event cause? Are any of them present here? (You clearly can't include 'inconsistency between last shutdown and last login' here, right?)
(This is more of an educational approach than a practical approach most FAs have worked through possible scenarios, and rarely need to do it again unless things have changed sicne then – such as the release of a major version of the OS platform or similar.
Added anyone faced with trying to answer these kinds of questions or test hypotheses or othr ideas are helped a lot by having throw-away systems or virtual computers. But first list *all* circumstances that will or may lead to using a virtual computer for such tests produces different results than using a real one. … and I think you get the idea …)
Just for the record the "second image" is just a malformed link, here it is fixed
http//
Whilst the first one is clearly a view of *any* registry editor/viewer, which program does the second screenshot come from?
With all due respect ) , you could post a larger image (less cropped if you prefer) and with columns set to better show the data, besides posting info about the actual program used.
jaclaz
@ athulin Thank you very much for your detailed post. It all made logical sense to me and now allows me to think in a different way to understanding the problem
@jaclaz thank you for fixing the malformed link it was late last night and was in bed when i replied first and had a very busy day today with practical investigations and interview techniques so never got a chance to fix it. Regarding the software i was using, yes i do apolagise, i normally crop photos because i am not a fan of posting on a forum and having large images attached to the post, but in this case i see now the more data available the easier it is to assess how best to answer questions, in this case i was using X-Ways Forensics for the second image, and the first image came from the inbuilt registry viewer from X-Ways.