1 / 68

Wrinkle in Time

Wrinkle in Time. Wrinkle in Time. Why do we care about time?. Wrinkle in Time. We use the Time/Date data to; Determine who used a computer. Determine when a computer was used. How long a computer was used. Determine when an event occurred. Determine a file’s use and/or source.

vgibbons
Download Presentation

Wrinkle in Time

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Wrinkle in Time

  2. Wrinkle in Time • Why do we care about time?

  3. Wrinkle in Time • We use the Time/Date data to; • Determine who used a computer. • Determine when a computer was used. • How long a computer was used. • Determine when an event occurred. • Determine a file’s use and/or source.

  4. Wrinkle in Time • Today’s outline • General information on time • A Brief History of Time (Apologies to Stephen Hawking) • The Types of time • The Time Zones • Daylight Saving Time • Sources of Time • Places we find Time and Dates on a PC

  5. General Stuff • All dates and times on a computer are dependent on its clock being accurately set and running. This can apply to the suspect’s computer clock, the clock of a server or your own forensic machine. • A clock that is set correctly now may not have been prior.

  6. Types of Time • There are many different types of time.

  7. Base Time • GMT - Greenwich Mean Time • UT – Universal Time • UTC – Coordinated Universal Time

  8. Greenwich Time • GMT - Greenwich Mean Time • Greenwich, England has been the home of Greenwich Mean Time (GMT) since 1884.  GMT is sometimes called Greenwich Meridian Time because it is measured from the Greenwich Meridian Line (longitude 0) at the Royal Observatory  in Greenwich, England. One property of GMT is that it remains the same all year around, Daylight Saving time does not affect it. It is the starting point of time (well, kinda the start). • Setting your time to “London” does not mean GMT, Why?

  9. Greenwich Time • GMT - Greenwich Mean Time • Greenwich, England has been the home of Greenwich Mean Time (GMT) since 1884.  GMT is sometimes called Greenwich Meridian Time because it is measured from the Greenwich Meridian Line (longitude 0) at the Royal Observatory  in Greenwich, England. One property of GMT is that it remains the same all year around, Daylight Saving time does not affect it. It is the starting point of time (well, kinda the start). • Setting your time to “London” does not mean GMT, Why? London observes Daylight Saving Time.

  10. Universal Time • UT - Universal Time • Another name for GMT • Done by star observations, this is traditional time.

  11. Coordinated Time • UTC - Coordinated Universal Time (yes, I agree, blame the frogs) • Replaced Greenwich Mean Time (GMT) as the World standard for time in 1986. It is based on an atomic clock measurement rather than the earth's rotation. To align it with “traditional time” based on the earth’s rotation, the time is adjusted once a year.

  12. AM - PM • 12:01( just past midnight ) is this AM or PM?

  13. AM - PM • 12:01( just past midnight ) is this AM or PM? • AM

  14. Time Format • Time formats • 24 hour (military) • Day starts at 00:00:00 • 00:00, Midnight • 12:00, Noon • Day ends at 23:59:59 • 12 hour (civil) • Uses PM / AM • AM : ante meridian, Starts at 12:00:01(past Midnight) • PM : post meridian Starts at 12:00:01(past Noon)

  15. Time Format 24 hour format (Day starts at 0000) 0000 0300 0600 0900 1201 1500 1800 2100 2359 12:00 3:00am 6:00am 9:00am 12:01pm 3:00pm 6:00pm 9:00pm 11:59pm 12 hour format

  16. Time Format • It’s 12:00 in the morning, is it AM or PM?

  17. Time Format • It’s 12:00 in the morning, is it AM or PM? • Neither • Midnight and Noon are not AM or PM

  18. Time Zones • Time Zones are geographically assigned. • Invented by Sir Sanford Fleming(1888) to help with train schedules. Prior to time zones every one kept their own time for an area, thousands of areas, thousands of different local time.

  19. Time Zones • There are 24 major time zones. • There are a few weird ones as well.(1/2 hour zones) • Here are some Abbreviations for times zones in the US. • AST- Atlantic Standard Time • EST- Eastern Standard Time • CST- Central Standard Time • MST- Mountain Standard Time • PST- Pacific Standard Time • AKST- Alaskan Standard Time • HAST- Hawaii-Aleutian Standard Time

  20. US Time Zones • The boundaries are fixed, give or take a little • Generally they change every 15o Time Zones in the US

  21. US Time Zones • The Continental US has four Standard Time zones • Eastern, -5 hours from GMT 7pm • Central, -6 hours from GMT 6pm • Mountain, -7 hours from GMT 5pm • Pacific, -8 hours from GMT 4pm • There are also additional time zones for Alaska, Hawaii, the Virgin Islands, Samoa, Guam and Puerto Rico. • Puerto Rico, -3 hours from GMT 9pm • Atlantic –4 hours from GMT 8pm • Alaska, -9 hours from GMT 3pm • Hawaii/Aleutian -10 hours from GMT 2pm • Samoa -11 hours from GMT 1pm • Guam +10 hours from GMT (date line cross) 2am tomorrow

  22. Places with “special” Time Zones • The following states have two time zones within them, usually split by county. • Kansas, Alaska, Florida, Idaho, Indiana, Kentucky, Michigan, Nebraska, North Dakota, Oregon, South Dakota, Tennessee, Texas • Cross a street, you are in a new time zone. • Beacon Hill and Mexico Beach, Florida. Cross the street (18’ of asphalt) and you are in a different city and time zone. One is eastern and the other central.

  23. International Time Zones • International times zones can be even more complicated.

  24. International Time Zones • The preceding maps show the general boundaries. The actual boundaries can be quite different. For example, Australia has some very different time zone boundaries. In fact they have zones that are only ½ hour different and they are above and below each other. So does Canada. 08:03 09:33 10:03 10:33 11:03

  25. International Time Zones • Let’s skip the rest of the world for now.

  26. Daylight Saving • Daylight Saving Time begins in the United States at 2 a.m. on the first Sunday of April. Time reverts to standard time at 2 a.m. on the last Sunday of October. Time changes at 2 a.m. local time. • In the European Union, Daylight Saving Time begins and ends at 1 am Universal Time (Greenwich Mean Time). It starts the last Sunday in March, and ends the last Sunday in October. In the EU, all time zones change at the same moment. • HOWEVER, Congress changed our dates…….

  27. Daylight Saving • On August 8, 2005, President George W. Bush signed the Energy Policy Act of 2005. This Act changed the time change dates for Daylight Saving Time in the U.S. Beginning in 2007, DST will begin on the second Sunday of March and end the first Sunday of November. The Secretary of Energy will report the impact of this change to Congress. Congress retains the right to revert the Daylight Saving Time back to the 2005 time schedule once the Department of Energy study is complete. So 2008 is up for grabs.

  28. Daylight Saving Time • Daylight Saving Time is NOT observed in; • All of Hawaii • All of American Samoa • All of Guam • All of Puerto Rico • All of The Virgin Islands

  29. Daylight Saving Time in AZ • Daylight Saving Time IS observed in the Navajo Indian Reservation in Arizona, New Mexico and Utah. • Daylight Saving Time is NOT observed anywhere else in the State of Arizona • The Hopi Partitioned Land in the middle of the Navajo Reservation does NOT observe Daylight Saving Time. • So AZ does not, Navajo does, Hopi does not Got that ?

  30. Daylight Saving Time in Indiana Daylight Saving Time in Indiana, well…. PRE April 2, 2006 • 77 of 92 counties do NOT change (white) • 15 counties do change • Yellow • Gibson, Jasper, Lake, LaPorte, Newton, Porter, Posey, Spencer, Vanderburgh and Warrick county • Blue • Clark, Dearborn, Floyd, Harrison and Ohio county.

  31. Daylight Saving Time in Indiana • Daylight Saving Time in Indiana AFTER April 2, 2006 • All of Indiana observes Daylight Saving Time… • The eight Indiana counties of Daviess, Dubois, Knox, Martin, Perry, Pike, Pulaski and Starke moved from the Eastern Time zone to the Central Time zone.

  32. Time Problems • Add time zones, daylight saving and date/time format all together and you have some complicated points to navigate when analyzing time and dates in digital evidence. • You’ll need to know how your software is affected and where was the computer used, what location and when. • To help, use this web site • http://www.timeanddate.com/time/dst2006a.html

  33. Time Problems • So what can happen if we get it wrong…..

  34. Time Problems • So what can happen if we get it wrong….. • Palestinian Terrorists • In September 1999, the Palestinian West Bank was on daylight saving time while Israel had just switched back to standard time. West Bank Palestinians prepared time bombs and smuggled them to Arab Israelis, who misunderstood the time on the bombs. As the bombs were being planted, they exploded—one hour too early—killing three terrorists instead of the intended victims—two busloads of people.

  35. Time Problems • Time Change Riots • Patrons of bars that stay open past 2:00 a.m. lose one hour of drinking time on the day when Daylight Saving Time springs forward one hour. This has led to annual problems in numerous locations, and sometimes even to riots. For example, at a "time disturbance" in Athens, Ohio, site of Ohio University, over 1,000 students and other late night partiers chanted "Freedom," as they threw liquor bottles at the police attempting to control the riot.

  36. Time Problems • Manslaughter • In California, a Chevrolet Blazer packed with teenagers struck the median of a street and flipped over, tragically killing one teen and injuring several others. The teen driver, fighting charges of felony vehicular manslaughter, claimed that the street was dangerously wet and unsafe due a lawn sprinkler system. The landscaper responsible for the computerized sprinklers testified that the sprinklers were set to come on more than fifteen minutes after the fatal accident. The outcome hinged on whether the sprinklers' timer had been adjusted for a recent Daylight Saving Time change, for without the DST adjustment, the sprinklers had close to 45 minutes to make the road slick.

  37. Forensic Question for the Future that might be asked by the Defense • Was a OS patch done ? • When was it done ? Before or after Daylight savings switched. ? • Was the clock just manually moved ahead or behind ? • What was shown in the event logs ? • What did application software show ? ( Anti Virus logs etc.. ) • Did the application base it’s time stamp by the Bios clock or the Internet ?

  38. BREAK Why did I take this class………

  39. Sources of Time

  40. Sources of Time • Best source is atomic based time • Internet time server • WWV & WWVB (radio time) • WWV on 5, 10, 15 and 20 MHz • WWVB on 60 MHz • Official US time from the web • http://nist.time.gov

  41. Sources of Time • Other sources of time • Phone time (767-1212)? Not accurate • Cell phone? May not be accurate • Radio News (start of every hour)? No • Observe Sunrise, Noon, Sunset? No…..

  42. Sources of Time • Buy an automatic clock and check it against the “nist.time.gov” web site prior to going out.

  43. Wrinkle in Time File System’s Times and Dates

  44. File System Times and Dates • In this class we are discussing the Microsoft family of operating systems(OS). Other OS’s will be similar but not identical. • The following applies when applications and system programs operate using the file systems standard calls. No funny business. • You can access files directly without changing any dates and times with custom written programs. • All of this relies on the system clock accuracy.

  45. File System Times and Dates • The system clock does lose or gain time over time…… errr • The system clock can gain or lose time. • File time and dates rely on the system clock. • Some time and dates inside files are independent of the systems clock. More on that later…. • The following may not always apply, your mileage may vary.

  46. Not Again….

  47. Where do we find Times and Dates • Directories and Folders • Within logs files (there are a lot) • Within Document files • In memory swap files • In Data Bases • In Emails • In Firmware • In the MFT$

  48. Times and Dates in Directories (FAT) • Directories and Folders are two terms for the same thing. Directory is the term used in DOS and Folders is used for Windows GUI*. • In FAT file systems you will find MAC dates and times kept in the directory. • In NTFS file systems you will find MACE dates and times kept in the Master File Table. • MAC(E) • Modified • Access • Creation • Entry modified * Graphical User Interface

  49. Times and Dates in Directories (FAT) • Modified • Modified, the last time the file was opened to be written to. • A file can be open to be “Modified” but not modified by an application.

  50. Times and Dates in Directories (FAT) • Access • Access, the last time the file was opened. It does not matter whether it was for reading and/or modifying. Even viewing a file’s properties will change the last access date.

More Related