Also, this was on Harlan Carvey's excellent blog today http://windowsir.blogspot.com/2009/08/timeline-creation-tools-posted.html
On Thu, Aug 13, 2009 at 3:48 PM, Joel Folkerts <[email protected]>wrote: > SANS recently posted an article discussing timeline creation and analysis - > > https://blogs.sans.org/computer-forensics/2009/08/13/artifact-timeline-creation-and-analysis-tool-release-log2timeline/ > > -Joel > > "The path to hell is paved with good intentions." > > > > On Wed, Aug 12, 2009 at 12:45 PM, Nicholas B. <[email protected]>wrote: > >> While it can create an issue when a user is able to modify timestamps >> those that they can't change for last access time can prove useful. >> These stamps can yield information on probs of files not actively >> looked at by others for evidence of probing for vulnerable >> configuration settings by a malicious user where they are unable to >> make modifucations to those files, but have read access to them. This >> only works on filesystems that record that stamp and didn't >> shortsitedly disable it (ie Vista) for performance reasons and where >> automatic processes (indexing, virus scans, etc.) haven't run on them >> since the incident in question occurred. >> >> On 8/12/09, David Kovar <[email protected]> wrote: >> > Greetings, >> > >> > Timestamps are one clue to a subject's activity but are rarely the >> > smoking gun, for many reasons. They can be intentionally modified, >> > various automated processes can update them, the system's clock may be >> > off (intentionally or accidentally), various actions may not preserve >> > them, .... >> > >> > Used in conjunction with other information, file system or metadata >> > timestamps can be very useful. If the physical security log at the >> > front desk shows the subject entering the building 15 minutes before >> > they log on to the domain server and then the prefetch shows Limewire >> > running right after that, leading to files being created shortly after >> > that .... >> > >> > -David >> > >> > >> > On Wed, Aug 12, 2009 at 3:14 AM, Jim Halfpenny<[email protected]> >> > wrote: >> >> Timestamps may matter a lot if you refute your role in download such >> >> niche bedtime reading. The old, "A virus must have downloaded it," >> >> might have less credibillity if timestamps show the files to have been >> >> created over a considerable period of time. >> >> >> >> Remember that evidence in isolation may seem meaningless. If for >> >> example you have coroborating evidence from browser history, logs or >> >> ISP records timestamps might provide strong evidence. >> >> >> >> Jim >> >> >> >> On 12/08/2009, Grymoire <[email protected]> wrote: >> >>> >> >>>>As the subject states, how much do file time stamp matter to a >> forensics >> >>>>case? If some one finds my collection of "Nazi albino midget Eskimo" >> >>>> porn, >> >>>>does it really mater what the date is? >> >>> >> >>> I'm not a forensic expert, but as I understand it, >> >>> Timestamps help paint an accurate recreation of events. >> >>> >> >>> An expert describes a series of events, such as entries in the log >> >>> file, access times, modifications times, etc, registry entries, etc. >> >>> >> >>> Some experts say that you can usually re-create an event even if >> >>> someone tries to hide their traces (i,e, modify timestamps). I think a >> >>> lot depends on the OS and logging capability. >> >>> >> >>> >> >>> And if the log is stored on a centralized log server, hiding traces >> are >> >>> more difficult. >> >>> >> >>> >> >>> _______________________________________________ >> >>> Pauldotcom mailing list >> >>> [email protected] >> >>> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom >> >>> Main Web Site: http://pauldotcom.com >> >>> >> >> >> >> -- >> >> Sent from my mobile device >> >> _______________________________________________ >> >> Pauldotcom mailing list >> >> [email protected] >> >> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom >> >> Main Web Site: http://pauldotcom.com >> >> >> > _______________________________________________ >> > Pauldotcom mailing list >> > [email protected] >> > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom >> > Main Web Site: http://pauldotcom.com >> > >> >> -- >> Sent from my mobile device >> _______________________________________________ >> Pauldotcom mailing list >> [email protected] >> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom >> Main Web Site: http://pauldotcom.com >> > > > _______________________________________________ > Pauldotcom mailing list > [email protected] > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > Main Web Site: http://pauldotcom.com >
_______________________________________________ Pauldotcom mailing list [email protected] http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
