Timestamps are a critical part of forensics. It takes a skilled forensicator to examine all pertinent data available to them in order to find key evidence and provide an accurate timeline of events. The timestamps we will be discussing are the MACB timestamps.
- M – Modified Time
- A – Accessed Time
- C – Metadata (MFT) Changed Time
- B – Born Time (created)
Some may think that there are only a single timestamp to be able to rely on, but a key thing to remember is that there are multiple timestamps and they should all be taken into consideration within digital forensics. Using a combination of timestamps available, they will prove to be extremely more powerful than a single timestamp on its own. We will go through some examples later in the article.
Why would you be interested in timestamps? Timestamps are a critical piece in digital forensics used for timelining, identifying the first time of compromise, identifying timestomping activity, and a plethora of other important things.
How times are stored are also important to understand. NTFS Timestamps store four significant times referring to files and directories which we mentioned before, the MACB times. NTFS stores dates as the number of 100ns since January 1, 1601. ExFAT also stores timestamps in UTC. FAT stores times in local time. For example, 5 PM EST would also be 5 PM PST. Ext2/3 store time in the Epoch format, starting from 12:00 AM January 1, 1970.
Believe it or not, there are other places that you’ll find timestamps. The $File_Name and $Standard_Information attributes also store timestamps.
The $File_Name attribute contains forensically interesting bits, such as MACB times, file name, file length and more. Timestamps are only updated with the attribute is changed. Files can have either one or two $File_Name attributes depending on how long the file name is. Short file names (“file.txt”) has only one $File_Name attribute. Long file names (“extremelylongfilename.txt”) will have two $File_Name attributes. One for the long file name, and one for the DOS-compatible short name (EXTRE~1.TXT). Below is a list of rules that pertain to the $File_Name attribute, thanks to SANS:
The $Standard_Information attribute also contains forensically interesting bits, such as MACB times, file owner information, security ID and more. Below is a list of rules that pertain to the $Standard_Information attribute, also thanks to SANS:
When adversaries compromise your systems, they may attempt to timestomp files. Time stomping is the modifying of time stamps in order to skew dates/times to throw off the investigator. This is where the $File_Name and $Standard_Information times come into play. If the $Standard_Information occurs before the $File_Name, there is a possibility that timestomping has occurred. A good tool to use would be the istat tool from the sleuthkit to compare file times. Below is an example output from the istat tool:
Beyond just the individual timestamps, putting them all together into a timeline, or supertimeline can yield some amazing information. To create a timeline you could use fls from the sleuthkit to create a text file. Below is an example output:
Then you can take the text file created by fls and use mactime (another sleuthkit tool) to create a timeline. Mactime also has the option to add in a date range if you are targeting a specific timeframe. The format for the date range is as follows: yyyy-mm-dd..yyyy-mm-dd. Below is a sample output from the mactime tool:
If you want to get even more information in your timeline in order for a more granular look into what happened on a system, you can create a supertimeline with Log2Timeline. There are a plethora of different flags to use. There are also modules you can use to include/exclude certain files within your supertimeline. Creating a supertimeline can take a lot of time to process, but if you have the time, the output is extremely useful.
If you were interested in finding IE History, you could run the following command: log2timeline –r –z EST5EDT –f iehistory /path-to/History.IE5 –w timeline.csv
If you were examining a shared Windows XP machine and the user you were investigating only uses Internet Explorer, but the others use Firefox, you could use the following command to exlude Firefox: log2timeline –p –r –f winxp,-firefox –z EST5EDT /mnt/windows_mount –w timeline.csv.