PaulDotCom mailing list archives
Forensic Timestamps Question
From: jake at nic.umass.edu (Jake Cunningham)
Date: Thu, 01 Oct 2009 08:42:00 -0400
That's an interesting one. I prefer to use the sleuthkit rather than "ls" to analyze filetimes. Try installing sleuthkit and run the following commands to get timestamp information. For this example I'm making the assumption that your analysis system is Linux, the disk you are analyzing is NTFS, it shows up as /dev/sdc1 on your analysis station, and the native timezone of the files on the disk is EST5EDT # get the "inode" of the file $ ls -i sdra64.exe (for the sake of example, I made up a result of inode 4571362 used below) # List the inode attibutes (as root) using sleuthkit "istat" $ istat -f ntfs -z EST5EDT /dev/sdc1 4571362 | less The results of this command should display (among other things) the following attributes. Created: File Modified: MFT Modified: Accessed: Post the results of the istat command and we'll see what that says for timestamps. -Jake Ben Greenfield wrote:
I'm doing a forensic analysis of a Zeus/Zbot infection for a client. I came across something kind of interesting that I didn't initially notice, and I'm hoping that someone can confirm or blow away a thought I just had. Here is some backup information: ~/mountpoint/WINDOWS/system32$ ls -lt --full-time sdra64.exe -rwxrwxrwx 1 root root 161280 2009-02-09 07:10:48.000000000 -0500 sdra64.exe ~/mountpoint/WINDOWS/system32$ ls -ltu --full-time sdra64.exe -rwxrwxrwx 1 root root 161280 2009-09-02 07:26:08.000000000 -0400 sdra64.exe For arguments sake lets assume that the timestamps are accurate and that the malware isn't modifying its creation timestamp (which I wonder about because of 2009-02-09 and 2009-09-02 having numbers swapped). If I'm not mistake the -0400 and -0500 refer to offset from Greenwich Mean Time. If that's the case, is it fair for me to assume that -0500 indicates that the computer which created the malware was configured with a different timezone than the one which was infected? Thanks, I look forward to people with more experience than saying smart stuff now :) _______________________________________________ Pauldotcom mailing list Pauldotcom at mail.pauldotcom.com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
-- * - - - - * - - - - * - - - - * - - - - * - - - -* - - - - * Jake Cunningham Lead Information Security Analyst University of Massachusetts Amherst, MA (413) 577-0890
Current thread:
- Forensic Timestamps Question Jake Cunningham (Oct 01)
- <Possible follow-ups>
- Re: Forensic Timestamps Question signupjar at gmail.com (Oct 01)
- Forensic Timestamps Question Carlos Perez (Oct 01)