Create an account Home  ·  Topics  ·  Downloads  ·  Your Account  ·  Submit News  ·  Top 10  
Modules
· Home
· Content
· FAQ
· Forensic Downloads
· Forensics Feedback
· Forums
· Members List
· Statistics
· Surveys
· Top 10
· Topics
· Training Reviews
· Web Links
· Your Account

Our Membership

Latest: RihanaLee
New Today: 1
New Yesterday: 4
Overall: 29587

Computer Forensics
This is a free and open peer to peer medium for digital and computer forensics professionals and students. Please help us maintain it by contributing and perhaps linking to us from your own website.

Recent Posts

 Significant confident from computer forensic investigation
 There's a thief !
 How efficient computer forensics
 Computer Forensics Investigation Process
 Anti-Forensic Attack in Cloud Environment

Computer Forensics World Forums


Pages Served
We received
57146658
page views since August 2004

Security Sources

FTC
OnGuard Online
ISO 17799 ISO 27001
ISO 27000 Toolkit
ISO 27001 & 27000
Cryptography
Security Policies

Computer Forensics World: Forums

Computer Forensics World :: View topic - timeline analysis
 Forum FAQForum FAQ   SearchSearch   UsergroupsUsergroups   ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 

timeline analysis

 
Post new topic   Reply to topic    Computer Forensics World Forum Index -> Technical Issues
View previous topic :: View next topic  
Author Message
amrogers3
Newbie
Newbie


Joined: Feb 20, 2018
Posts: 1

PostPosted: Wed Feb 21, 2018 4:58 am    Post subject: timeline analysis Reply with quote

Hello team, got a log that shows a file was accessed in a folder before the actual folder was created. It appears svchost.exe was accessed before folder dllhost was created. Can someone explain what is happening here?

Code:
Timestamp Macb File Name
2012-04-03 15:40:19 .a..  C:/Windows/System32/dllhost/svchost.exe
2012-04-03 16:35:07 ...b  C:/Windows/System32/dllhost
Back to top
View user's profile
chris-
Newbie
Newbie


Joined: Mar 06, 2018
Posts: 2

PostPosted: Tue Mar 06, 2018 7:56 pm    Post subject: Reply with quote

Hi amrogers3,

Quote:
Rule No. 2:
When M time is before C time, the file has been
copied from one system into the same/another system or moved
from one partition to another partition.


From: The Rules of Time on NTFS File System, K.P. Chow, Frank Y.W. Law, Michael Y.K. Kwan, K.Y. Lai
Can be found at i.cs.hku.hk/cisc/forensics/papers/RuleOfTime.pdf (a bit old now)

[Please note that the doc uses (c)reation and not (b)irth. They have only "mac" time]

Well you have "a" and not "m", but the principle is clear. It was modified/accessed before the file was created. So how can that be?

If you have a look at the SANS poster Digital-Forensics-and-Incident-Response-Poster-2012.pdf (p2, google), you see how the timeline is changing if a files is copied of moved. But you never see "a" or "b" time before "c"time.

All that does not apply 100% on your case. So I would say the file was in an zipped archive and was unzipped.

To prove that, I created a directory new1 and a file a.txt in it. After waiting some seconds I zipped (7z) the whole directory. After waiting again, I unzipped the new1.7z.

Not I got a new1 directory with a a.txt with a "a" time older than the "b" and/or "m" time.

Conclusion: If a "a" or "m" time is before the file was created, it could have been that a directory was zipped and unzipped.

Of course, anti forensics (such as timestomp) can change the mac time as the way you like, too.
Back to top
View user's profile
Display posts from previous:   
Post new topic   Reply to topic    Computer Forensics World Forum Index -> Technical Issues All times are GMT + 10 Hours
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum

Powered by phpBB 2.0.10 © 2001 phpBB Group
phpBB port v2.1 based on Tom Nitzschner's phpbb2.0.6 upgraded to phpBB 2.0.4 standalone was developed and tested by:
ArtificialIntel, ChatServ, mikem,
sixonetonoffun and Paul Laudanski (aka Zhen-Xjell).

Version 2.1 by Nuke Cops 2003 http://www.nukecops.com

Forums ©

 

TMs property of their respective owner. Comments property of posters. 2007 Computer Forensics Science World.
Digital forensic computing news syndication: Computer Forensics Training News or UM Text
Software is copyrighted phpnuke.org (c)2003, and is free under licence agreement. All Rights Are Reserved.