That's an interesting one. I prefer to use the sleuthkit rather than "ls" to analyze filetimes. Try installing sleuthkit and run the following commands to get timestamp information.
For this example I'm making the assumption that your analysis system is Linux, the disk you are analyzing is NTFS, it shows up as /dev/sdc1 on your analysis station, and the native timezone of the files on the disk is EST5EDT # get the "inode" of the file $ ls -i sdra64.exe (for the sake of example, I made up a result of inode 4571362 used below) # List the inode attibutes (as root) using sleuthkit "istat" $ istat -f ntfs -z EST5EDT /dev/sdc1 4571362 | less The results of this command should display (among other things) the following attributes. Created: File Modified: MFT Modified: Accessed: Post the results of the istat command and we'll see what that says for timestamps. -Jake Ben Greenfield wrote: > I'm doing a forensic analysis of a Zeus/Zbot infection for a client. > I came across something kind of interesting that I didn't initially > notice, and I'm hoping that someone can confirm or blow away a thought > I just had. > > Here is some backup information: > ~/mountpoint/WINDOWS/system32$ ls -lt --full-time sdra64.exe > -rwxrwxrwx 1 root root 161280 2009-02-09 07:10:48.000000000 -0500 sdra64.exe > > ~/mountpoint/WINDOWS/system32$ ls -ltu --full-time sdra64.exe > -rwxrwxrwx 1 root root 161280 2009-09-02 07:26:08.000000000 -0400 sdra64.exe > > For arguments sake lets assume that the timestamps are accurate and > that the malware isn't modifying its creation timestamp (which I > wonder about because of 2009-02-09 and 2009-09-02 having numbers > swapped). If I'm not mistake the -0400 and -0500 refer to offset from > Greenwich Mean Time. If that's the case, is it fair for me to assume > that -0500 indicates that the computer which created the malware was > configured with a different timezone than the one which was infected? > > Thanks, I look forward to people with more experience than saying > smart stuff now :) > _______________________________________________ > Pauldotcom mailing list > [email protected] > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > Main Web Site: http://pauldotcom.com -- * - - - - * - - - - * - - - - * - - - - * - - - -* - - - - * Jake Cunningham Lead Information Security Analyst University of Massachusetts Amherst, MA (413) 577-0890 _______________________________________________ Pauldotcom mailing list [email protected] http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
