Timeline forensics.

Hi all.

One question, which is very prominent in forensics is, “When?”

In other words, time is a very important factor at which analytics is based in the process of forensics. There are many artifacts that we use in an investigation which have temporal characteristics. These characteristics allow us to build the whole picture of an incident. Moreover, timeline analysis could help when we analyze different types of evidence. Timeline analysis may be built on the base of any source that has timestamps. This could be the metadata of the filesystem, registry, event log files, log files of applications, memory, network traffic, and so on.

Certainly, the timeline is one of the most useful techniques that is applied in digital forensics. However, this is based on the analysis of particular artifacts, so it is very important to understand how to analyze the artifacts that are suppliers of timeline events. Despite the apparent simplicity of the idea underlying the timeline, in practice, it is not so easy. One of the difficulties is the large amount of data that has to be analyzed. The issue with a running system is that there are a few users and many system services, which produce a lot of events. We need to filter out such activities from normal users. The idea of a timeline is not very new. It has been around since the year 2000, when Rob Lee and some other forensic people started applying it in digital forensics. Originally, filesystems served as a source of data for the timeline. We will consider the NTFS filesystem as the most prevalent filesystem in our review. 

The timeline of the NTFS filesystem is based on the timestamps in some attributes of the filesystem objects.

Every object of the filesystem has the following timestamps:

⦁ M: This is the date of data modification

⦁ A: This is the date of data access

⦁ C: This is the date of metadata change

⦁ B: This is the date of metadata creation

Based on the analysis of this data, we can determinate when a file was created, copied, moved, and so on. The NTFS filesystem uses FILETIME as its time format in UTC. UTC is  Coordinated Universal Time. FILETIME contains a 64-bit value representing the number of 100-nanosecond intervals since January 1, 1601 (UTC). MS Windows also uses other time formats. They are the UNIX time format, DOS Date format, and SYSTEMTIME format.

Also, we should highlight some cases when the file is moved across different filesystems, for example, a file is copied to a USB key. In most cases, USB uses the FAT32 filesystem, so files on the FAT32 system have different attributes, and timestamps are on the NTFS and FAT32 filesystems.

Let's consider case when a file is created on the NTFS filesystem and then is copied to USB with the FAT32 filesystem. In this case, the modification date remains unchanged, but the C date on the USB drive changes and will fit to the date of file creation on the USB. Microsoft has an explanation on how attributes are changed in different situations at http://support.microsoft.com/kb/299648. The following are the file properties with regards to the date and time stamps:

⦁ In the case that a file is copied from C:\fatfolder to C:\fatfolder\subfolder, it keeps the same date and time of modification but changes the date and time of creation to the current date and time

⦁ In the case that a file is moved from C:\fatfolder to C:\fatfolder\subfolder, it keeps the same date and time of modification and keeps the same date and time of creation

⦁ In the case that a file is copied from C:\fatfolder to D:\NTFSfolder, it keeps the same date and time of modification but changes the date and time of creation to the current date and time

⦁ In the case that a file is moved from C:\fatfolder to D:\NTFSfolder, it keeps the same date and time of modification and keeps the same date and time of creation

⦁ In the case that a file is copied from D:\NTFSfolder to D:\NTFSfolder\SUBfolder, it keeps the same date and time of modification but changes the date and time of creation to the current date and time

⦁ In the case that a file is moved from D:\NTFSfolder to D:\NTFSfolder\SUBfolder, it keeps the same date and time of modification and keeps the same date and time of creation

In all cases, the date and time of modification of a file does not change unless a property of the file has changed. The date and time of creation of the file changes, depending on whether the file was copied or moved.

The following are the folder properties with regards to the date and time stamps:

⦁ In the case that two new folders on an NTFS partition called D:\NTFSfolder1 and D:\NTFSfolder2 are created, both the date and time of creation and modification are the same

⦁ In the case that the D:\NTFSfolder2 folder is moved into the D:\NTFSfolder1 folder, creating D:\NTFSfolder1\NTFSfolder2, then the following occurs:

• D:\NTFSfolder1: This is when the created folder is the same and the modified stamp changes. 
• D:\NTFSfolder1\NTFSfolder2: This is when both the created folder changes and the modified folder stay the same.

This behavior occurs because even though you moved the folder, a new folder is seen as being created within the D:\NTFSfolder1 folder by the Master File Table (MFT).

In the case that the D:\NTFSfolder2 folder is copied into the D:\NTFSfolder1 folder, creating the D:\NTFSfolder1\NTFSfolder2 folder, and the D:\NTFSfolder2 folder still exists (after having copied it):

⦁ D:\NTFSfolder1: This is when the created folder is the same and the modified folder time and date stamp changes.

⦁ D:\NTFSfolder2: This is when no changes occur because it is the original folder.

⦁ D:\NTFSfolder1\NTFSfolder2: This is when both the created folder and the modified folder change to the same stamp, which is that of the time of the move.

This behavior occurs because even though you copied the folder, the new folder is seen as being created by the MFT and is given a new created and modified time stamp.

The FAT filesystem has different behavior with regards to the modified time stamp. On a FAT filesystem, the modified date of a folder does not change if the contents of the folder change. For example,if D:\FATfolder2 is copied or moved into D:\FATfolder1, the created date and modified date of D:\FATfolder1 remain unchanged. The following table reflects the changes of attributes in accordance with operations on the file:

When we talk about a moving action, we mean moving of the file with Windows Explorer and the cut and paste procedure, not the move command in the command line.

One more thing what we want to mention is that some investigators make the mistake of assuming that disabling the last accessed time will stop any updates to the file's last access time (default on Vista+). This is incorrect. The last accessed time will be changed in the case of the copy or move commands; it remains unchanged only if the files are opening.

Also, the moving of a file by cutting and pasting in Windows Explorer in the border of the filesystem doesn't change the creation time. However, it will be changed if a file is moved on the command line with the move command.

By "Practical Windows Forensics", Copyright © 2016 Packt Publishing.