Chapter 30. Computer Time Artifacts (MAC Times)

Information in this chapter:

• Computer file system time stamps
• Fundamental Issues in forensic analysis of timeline
• Created, modified, accessed
• The bottom line
Computer time stamps play a role in many cases, both civil and criminal. Computer time artifacts are undoubtedly one of the most important forms of digital evidence. They play a critical role when establishing a timeline for a body of evidence for any case where time is important. If the case involves an alibi, computer time artifacts can be used as part of a body of evidence to negate or validate the alibi claims. If the case involves data theft, computer time artifacts can be used to help determine when the alleged theft occurred.
The purpose of this chapter is to familiarize you with the complexity of interpreting the date and time stamps recorded by computer operating systems and applications. To completely cover the subject of computer time stamps would require an entire technical book.
Keywords
Time Stamps, MAC Times, Modified, Accessed, Created, Time Zones

Introduction

Computer time artifacts are undoubtedly one of the most important forms of digital evidence. They play a critical role when establishing a timeline for a body of evidence for any case where time is important. If the case involves an alibi, computer time artifacts can be used as part of a body of evidence to negate or validate the alibi claims. If the case involves data theft, computer time artifacts can be used to help determine when the alleged theft occurred. Furthermore, computer time artifacts are used extensively when attempting to prove or disprove user attribution. This form of evidence is arguably the most important when it comes to placing someone at a computer at a given time. While computer time artifacts are extremely valuable as evidence, they are also very complicated. There are numerous exceptions and variables when it comes to interpreting this type of evidence, and incorrect interpretations can lead to serious mistakes when coming to a conclusion based on computer time artifacts. These artifacts are most commonly called MAC times, which stands for Modified, Accessed, and Created. However, some file systems record four dates including the additional last written date. E-mail time stamps can also be confusing unless you are careful in the interpretation of the method of recording the time and the correct time zone of the time stamp record.
The purpose of this chapter is to familiarize you with the complexity of interpreting the date and time stamps recorded by computer operating systems and applications. To completely cover the subject of computer time stamps would require an entire technical book.

30.1. Computer file system time stamps

While you would think it would be a straightforward process to look at the dates and times recorded for a file and to know that those date and times accurately reflect when the file was created, modified, or accessed, that just simply is not the case. The reason for this dilemma is that different operating systems record these dates and times in different ways. For instance, older operating systems like Windows 98 and Windows XP record dates differently than Windows 7.

30.2. Fundamental Issues in forensic analysis of timeline

One of the easiest and most common mistakes that is made in the forensic analysis of computer-generated time stamps is either not checking to see if the computer clock that is creating the time stamps is accurate or not properly identifying the offset of the time local to the computer clock to the time zone format of the time stamp.
Depending on the device, be it a GPS unit, a computer, an e-mail server, a digital camera, or a web server at an Internet Service provider, the way that the date and time is recorded can be in different formats and different default time zones.
• Time Zones and Time Formats
• The most fundamental mistake an examiner can make is to forget to check the clock setting on a computer or other device he is examining to see what time zone it is set for and how accurate the current time on the computer clock is at the time of the examination. This is a simple task of recording the time the computer or device thinks it is by checking the real time clock (RTC) of the device and comparing that time to a reliable outside time source such as a cell phone. Computer or device clocks can be off by minutes to months, and failing to perform this basic test can lead to incorrect interpretation of any timeline that depends on a device’s clock to be accurate.
• When an examiner receives records from a third-party source for analysis, the time zone of the recording party must be taken into account. For instance, many record keepers do all of their time stamps in their local time zone, independent of the time zone of where the record was created, or in Greenwich Mean Time (GMT). In a case from many years ago, analysis of the account creation time from Microsoft’s Hotmail service was a factor in determining premeditation in a death penalty case. At the time, Microsoft recorded the creation time of Hotmail accounts in GMT. The task at hand was to determine the exact creation date and time for an e-mail account. On the one hand, the date and time was from Microsoft in GMT. On the other hand, the account creation happened three years prior to the trial, so the second task was to determine the correct time offset from GMT on that particular date, which included determining if the date was in Eastern Standard or Eastern Daylight Time.
• In another case, there was a dispute as to when an e-mail originated. What the previous examiner failed to note was that the e-mail server where the e-mail was processed and stamped was located in Arizona, where they do not change over to Daylight Savings Time. This made the e-mail appear to have been sent an hour earlier when in fact it was not.
• The Energy Policy Act of 2005 changed Daylight Savings Time in the United States, extending the time four weeks beginning in 2007. For devices operating prior to the change in 2007, care must be taken to make sure that the device understands the new extended time zone change and that it was properly set.
• In international cases, the examiner must be aware that other areas of the world have their own savings time zones and dates. In 1996, the European Union standardized European Summer Time.
• Different operating systems and devices will record time in different formats, making the correct calculation of the time difficult in some instances.
• Epoch Time Format: Epoch or UNIX/POSIX time format is based on the number of seconds since January, 1, 1970, not counting leap seconds. If a device or program is using epoch time for recording time stamps, the examiner must calculate the correct local time in human readable format. This format is found in some GPS devices and also on devices that use the UNIX or Linux operating system.
• Zulu Time: Many devices record time stamps in Zulu time, which refers to the time at the prime meridian. Zulu time is also known as GMT. However, GMT has been replaced by Coordinated Universal Time (UTC), which takes into account the variations in the rotation of the earth. When a time is recorded in Zulu, the examiner must make certain that the correct local time is calculated based on the current state of Standard or Daylight Savings Time to determine the correct offset from UTC. For instance, Eastern Daylight Time is UTC minus 4 hours.

30.3. Created, modified, accessed

The most relied upon and most misunderstood part of many forensic examinations is the time stamps associated with the created, modified, and last accessed date recorded for files and folders on a computer hard drive. The following sections discuss these time stamps and how the interpretation of the time stamp is dependent on many factors. Simply pointing at a particular time stamp and making a claim about its connection to a timeline for a piece of evidence would be a mistake without properly interpreting how the time stamp was created.
Created Time Stamp. The created date for a file is recorded when a file is first created locally on a file system. However, the created date for that same file can be changed by different operations performed on the file. Here are some examples:
• If the file is copied to a new hard drive or storage device like a USB stick, the creation date on the new location will change to the current date and time that the file was copied.
• If the file is downloaded from a peer-to-peer networking service such as LimeWire or FrostWire, the created date will be the date and time the file started to download.
• In Windows 7, if a file is copied from one folder to another on the same hard drive, the created date in the folder will be the date the file was copied.
• However, if the operating system is Windows XP, the created date for the file in the new folder will be the same as the original created date and time. In Windows XP, the folder itself will have a created date and time of when the folder was created.
• In both Windows 7 and Windows XP, if you burn a file to a CD, the created date will be retained in its original state.
Modified Time Stamp. The modified time stamp indicates when a file is changed in some manner and records the date and time of that change when the file is saved to a device or hard drive. Here are some examples:
• In Windows 7, if a file is modified and saved, the entry modified date will change to the current date and time of the local computer.
• In Windows 7, accessing a file will change the entry modified date if the file is viewed in EnCase forensic software. However, the last accessed date will not be changed.
• If a CD-ROM is viewed in EnCase forensic software, the time stamps for the last modified date would not be apparent. However, if in EnCase, the file is added to a case by dragging it from the CD-ROM to the EnCase software, the last modified date will appear and will match the actual date and time the file was burned to the CD-ROM, provided that the CD-ROM was burned using Windows 7. If the file was burned in Windows XP, this will not occur.
Last Accessed Time Stamp. In theory, the last accessed time stamp should be an indication of when the file was last viewed. However, in many cases, this time stamp will not change if a file is opened and then closed without making any changes to the file. This is due to the fact that when Windows is using the NTFS file system, it does not immediately write changes in file system time stamps to the disk. In the NTFS file system, Windows will write the last accessed time to disk when the current recorded time on disk is one hour or more different from the current last accessed time in memory. If the computer is shut down within the one-hour time delay, the last accessed date will not be updated on the hard drive. Another way this time stamp can be misinterpreted is making the assumption that the last accessed time stamp is an indication of the last time a person opened the file.
• When a file is deleted, it is accessed by the file system to perform the deletion and the last accessed time stamp is updated.
• Some types of antivirus programs will access a file in the process of scanning the file for viruses. They can change the last accessed time stamp to the date of the last virus scan.
• Creating a backup of a file using some backup software programs can change the last accessed time stamp.
• When a file is printed, the last accessed time stamp can be updated.

30.4. The bottom line

Time stamps are not the end all of authority as to when something occurred. However, they can be critical if correctly interpreted by the examiner. In order to do so, the examiner must understand the different ways that time stamps are recorded by different computer operating systems, file systems, and various devices. The examiner must also understand what operation was being performed that may have changed the time stamp and in what way that operation would affect the recording of the time stamp. To simply say that the time stamp on a file or in a record is present is not sufficient; failing to analyze it completely can lead to incorrect analysis of the timeline in a case.
It is critically important that the examiner be well versed in how time stamps are modified and under what circumstances if the interpretation of the data is to be of any value. Also, the examiner must understand the nuances of the different operating systems and file systems and how each of them handles time stamps; otherwise, their interpretation could be completely wrong.

Summary

In this chapter we looked at the value of time stamps in the analysis of electronic evidence. We also looked at some of the many ways a time stamp can be affected by different operating systems, file systems, and devices. We learned that while time stamps are a critical part of the forensic analysis of electronic evidence, proper interpretation of time stamps is more complex than simply taking the time stamp at face value.
..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset