Three things that irritate me…
Don‟t look
directly into
his eyes.
He‟ll steal
your soul!
If anyone
says “Aw!”
the kitten
meets
Mr. Pitbull
• It was a Trojan/Virus
• I was hacked
• My cat did it
• It was Aliens
• It was God
Yes, these are all real-world examples
Something from a recent case of mine…
• Guy has company laptop
• Guy surfs porn
• Guy gets fired
• Guy sues company
• Company hires me
My Findings:
This guys likes his porn… A
LOT*
*(not an actual quote from my report)
Guy hires a computer expert. His report
states:
“...the BIOS clock could be manually set
back... Once the computer is rebooted, the
operating system will take its current time
from the BIOS clock and any files created or
changed thereafter will reflect the (pre-
dated) time as seen by the operating
system...
“There is no simple way of telling whether a
computer‟s BIOS clock has been „turned
back‟, especially if it was subsequently reset
to the correct time.”
FUD Mini Rant
One simple rule...
• Don‟t be stupid, only report the facts
Aim of this Presentation...
• To provide some ideas of how clock
changes can be tracked in Windows XP,
Vista, 7.
• Spur you on to find more
• Reduce the spreading of FUD
Windows Event Logs
• Default of 512KB in XP, 20MB in Vista,
Win7
• Sequentially written
• Overwritten from start when full
• Event IDs
• Date/time stamp
Vista, Win7
Event ID 1 in System log
“The system time has changed to 2011-01-
01T00:00:00.000000000Z from 2011-04-
01T10:17:04.137232300Z.”
Event ID 4616 in Security log
“The system time was changed.”
XP
Event ID 520 in Security log
“The system time was changed.”
Note that this will only work if “Audit privilege
use” is turned on. The default state is off.
Setupapi.log
• Logs first instance of a device being
connected
• Sequential logging
• Overwritten when full
$UsnJrnl·$J
• Typically may only hold data for a few
hours/days
• Data is stored sequentially
• Stores every file transaction during the
recorded time
$UsnJrnl·$J
·<·S·C·C·3·E·7·C·.·t·m·p·····ÿÿX·······Î·······vT······`?ól····^Õ¢®?·Ì····?········
·····<·C·o·n·s·o·l·e·1·0·.·t·x·t···X·······[·······vT······¸?ól····^Õ¢®?·Ì·············
·····<·C·o·n·s·o·l·e·9·.·t·x·t·····X·······[·······vT·······?ól····^Õ¢®?·Ì·· ··········
·····<·C·o·n·s·o·l·e·1·0·.·t·x·t···X·······[·······vT······h?ól····^Õ¢®?·Ì·· ·?········
·····<·C·o·n·s·o·l·e·1·0·.·t·x·t···X·······¯î······vT······À?ól····^Õ¢®?·Ì·············
·····<·C·o·n·s·o·l·e·8·.·t·x·t·····X·······¯î······vT·······•ól····^Õ¢®?·Ì·· ··········
·····<·C·o·n·s·o·l·e·9·.·t·x·t·····X·······¯î······vT······p•ól····^Õ¢®?·Ì·· ·?········
·····<·C·o·n·s·o·l·e·9·.·t·x·t·····X·······»<······vT······È•ól····^Õ¢®?·Ì·············
·····<·C·o·n·s·o·l·e·7·.·t·x·t·····X·······»<······vT······ ?ól····^Õ¢®?·Ì·· ··········
·····<·C·o·n·s·o·l·e·8·.·t·x·t·····X·······»<······vT······x?ól····^Õ¢®?·Ì·· ·?········
·····<·C·o·n·s·o·l·e·8·.·t·x·t·····X·······Óð···· ·vT······Ð?ól····^Õ¢®?·Ì·············
·····<·C·o·n·s·o·l·e·6·.·t·x·t·····X·······Óð···· ·vT······(•ól····^Õ¢®?·Ì·· ··········
·····<·C·o·n·s·o·l·e·7·.·t·x·t·····X·······Óð···· ·vT······?•ól····^Õ¢®?·Ì·· ·?········
·····<·C·o·n·s·o·l·e·7·.·t·x·t·············································X·······¸V······vT·
······•ól····^Õ¢®?·Ì·············
·····<·C·o·n·s·o·l·e·5·.·t·x·t·····X·······¸V······vT······X•ól····^Õ¢®?·Ì·· ··········
·····<·C·o·n·s·o·l·e·6·.·t·x·t·····X·······¸V······vT······°•ól····^Õ¢®?·Ì·· ·?········
·····<·C·o·n·s·o·l·e·6·.·t·x·t·····X········U····ú·vT·······?ól····^Õ¢®?·Ì·············
·····<·C·o·n·s·o·l·e·4·.·t·x·t·····X········U····ú·vT······`?ól····^Õ¢®?·Ì·· ··········
·····<·C·o·n·s·o·l·e·5·.·t·x·t·····X········U····ú·vT······¸?ól····^Õ¢®?·Ì·· ·?········
·····<·C·o·n·s·o·l·e·5·.·t·x·t·····X·······ÑT······vT·······?ól····^Õ¢®?·Ì············· ·····
$UsnJrnl·$J
Filename Date and Time
setupapi.app.log 31/05/2011 13:35
DLLHOST.EXE-FDE983AF.pf 31/05/2011 13:35
WMIPRVSE.EXE-1628051C.pf 31/05/2011 13:35
CONTROL.EXE-817F8F1D.pf 31/05/2011 13:36
RUNDLL32.EXE-89545801.pf 01/01/2010 14:36
RUNDLL32.EXE-D612ED71.pf 09/01/2010 11:01
launchy.ini 09/01/2010 11:03
MOBSYNC.EXE-C5E2284F.pf 09/01/2010 11:15
index.dat 31/05/2011 13:53
TASKHOST.EXE-7238F31D.pf 31/05/2011 13:53
launchy.ini 31/05/2011 13:53
$UsnJrnl·$J
Filename Date and Time
setupapi.app.log 31/05/2011 13:35
DLLHOST.EXE-FDE983AF.pf 31/05/2011 13:35
WMIPRVSE.EXE-1628051C.pf 31/05/2011 13:35
CONTROL.EXE-817F8F1D.pf 31/05/2011 13:36
RUNDLL32.EXE-89545801.pf 01/01/2010 14:36
RUNDLL32.EXE-D612ED71.pf 09/01/2010 11:01
launchy.ini 09/01/2010 11:03
MOBSYNC.EXE-C5E2284F.pf 09/01/2010 11:15
index.dat 31/05/2011 13:53
TASKHOST.EXE-7238F31D.pf 31/05/2011 13:53
launchy.ini 31/05/2011 13:53
Link Files
• Harry Parsonage‟s research
• Each link file has a sequence number
• Discrepancy is evidence of clock change
Link Files
Restore Points
• XP Restore Points are named sequentially
• Named in order of creation, clock is
ignored
Restore Points
Restore Point Creation Date/Time Restore Point Name
RP131 17:24:18 03/10/2011 System Checkpoint
RP132 18:08:39 03/11/2011 System Checkpoint
RP133 17:17:57 03/14/2011 Installation of Google Chrome
RP134 16:46:22 02/11/2011 Installation of Mozilla Firefox
RP135 10:03:12 03/15/2011 System Checkpoint
RP136 10:34:09 03/15/2011 Installation of Microsoft Office
Web Pages
• Many web pages contain their own clues
• Forums, news sites, sports sites, most
show the same thing…
27
28
Web Pages
• If this cached page showed a creation
date of May 17 2011 something is
obviously wrong
Index.dat Files
• NOT Sequential
• Still offer good clues
• Check the internet settings
• How often does the internet history
recycle?
• Large clock changes are easier to detect
Email Messages
• MSG/EML file has a creation date of May 17 2011
• Message properties suggest otherwise:
MIME-Version: 1.0 Received: by 10.68.14.37 with SMTP id
m5mr1406525pbc.474.1307239107883; Sat, 04 Jun 2011 18:58:27 -
0700 (PDT) Sender: [email protected] Received: by 10.68.66.136
with HTTP; Sat, 4 Jun 2011 18:58:27 -0700 (PDT) Date: Sat, 4 Jun
2011 20:58:27 -0500 X-Google-Sender-Auth:
WiTe_KdGL5stt8fvjLC6pdnkRtY Message-ID:
Subject: Cloak of Invisibility From: Harry Potter
<[email protected]> To: Hermione Granger<hermione@teachers-
pet.com>, Ron Weasley<[email protected]>
Thumbnails
• In XP there is one thumbnail repository for
each folder
• In Vista/7 there is one set of files for all
thumbnails on the computer
• Both store information sequentially
regardless of the system clock
Thumbcache.db
Example:
• Forbidden pictures found on a suspect
machine
• Creation date suggests a specific user is
responsible
• What does the Thumbcache tell us?
Thumbcache.db
Offset (bytes) Creation Date/time of Original Picture
106 05/12/11 17:42:31
27890 05/12/11 17:42:38
55674 05/12/11 17:42:43
83458 05/12/11 17:42:55
110474 05/12/11 17:43:07
145554 02/11/11 11:03:56
173722 02/11/11 11:04:04
924742 05/12/11 17:46:22
954062 05/12/11 17:46:27
Thumbs.db
Offset (bytes) File Name Last Written
1456 Bella.jpg 05/24/11 23:57:09
34870 Edward.jpg 05/24/11 23:58:23
68284 Jacob.jpg 05/24/11 23:58:02
101698 Renee.jpg 03/13/11 11:17:12
135112 Jasper.jpg 05/25/11 00:02:32
168526 Alice.jpg 02/25/11 00:05:01
201940 Carlisle.jpg 02/25/11 00:06:49
Thumbnails - warning
• This MAY be due to clock change
• There are other explanations – what are
they?
Finally - New Technology
File systems
• Did the FS exist at the time?
Software version
• Metadata is key
File versions
• docx is a dead giveaway
Case Conclusion
• Opposing expert conceded no evidence of
clock change
• My client won case and costs against
former employee
• Evidence unFUDed
Hackers For Charity
Donate Now!