Thursday, May 28, 2009

File System creation date vs. Operating System install date - Part I

I have recently seen a few listserv messages regarding determining when the Operating System was installed. This post focuses on the two common sources of date/times that can be somewhat misleading.

Two areas that are commonly looked at on a Windows installation are the MACE times for the internal NTFS objects, like $MFT, $MFTMirr, $LogFile, etc. which are all the same and then the OS install date registry value under: HKLM\Software\Microsoft\Windows NT\CurrentVersion\InstallDate

Lets clarify something first. One is the file system creation date and the other is the operating system install date. Remember that file systems and operating systems are two totally different things, with different purposes. Let talk through a common example:

An average home user buys a new hard drive and wants to install Windows XP. After the afternoon job of installing the hard drive, he pops in the Windows XP SP3 install disk and powers up the computer. Soon the user will be asked where to install Windows XP and in this common example, where to create the partition and file system. The common screen looks like this:

The user is sitting in California and the computer clock is set to the -8 GMT timezone, AKA: Pacific Standard Time, but the date is currently May 27th, 2009, meaning the region is currently in daylight saving time (-7 GMT). The time is currently 6:38 p.m. (GMT time is 1:38 a.m. on May 28th).

After seeing the blue screen shown above, the user hits enter and the NT file system is created. After the setup program copies the necessary setup files to the newly created volume, setup continues and the computer reboots. Approximately an hour later, the installation of the operating system is completed and the shiny new XP installation is done. The time is 7:53 p.m.

Now lets imagine at this moment that the local police swarm the house and seize the computer. A forensic examination is done the next day. What will the examiner find?

Lets think this trough for a moment. The user popped in a XP install CD and installed a fresh version of XP. The file system creation date/time was when that blue screen appeared and then an hour later the installation was done and Windows was ready for use. The OS Install date/time was approximately one hour after the file system creation time. The examiner should expect to see approximately one hour gap between these two dates and times, right?...right??

Back to the scenario: Investigators interview the user and he explains that he went to the local computer store at approximately noon and purchased a brand new 500GB hard drive. He then stopped for lunch and did some unrelated shopping before getting home. The football game was on, so he watched that for 3 hours before finally getting around to installing the hard drive and beginning the installation around 6:30pm.

The examiner uses EnCase and looks at the creation time for the $MFT and it shows this:

The examiner shouts the highly technical term "WTF" ?? The user must be lying. The examiner then checks the registry value for the install date and it shows:

What is going on here? Why aren't these two timestamps lining up the way we would expect? Here is where the misleading part is. The user started the installation at around 6:30p.m. The file system *WAS* created at 6:38p.m. Here is the problem. The system was started from the Windows install CD. Since there is no Operating System installed yet, the computer and installation program have no reference to a timezone yet, all it has is a date/time from the BIOS. The Windows install program uses the BIOS time as the local time, much the way older file systems did, like FAT with Windows 9x. The install program grabbed the time from the BIOS (6:38PM) and used that date/time.

Later, when examined, EnCase is expecting that this timestamp is stored in GMT and automatically applies a timezone shift of -7, because that's were the examiner's machine is set to. So what was stored was the actual local time of 6:38 p.m., but EnCase now displays that as 11:38a.m. since it thinks all timestamps are being stored by the file system in GMT.

The install date in the registry is correct a that was the time the installation completed and that is stored GMT since the operating system is fully installed and has a reference to the correct timezone and where GMT is in relation to the BIOS date/time.

As with all date/time issues, an examiner must be very careful *NOT* to rely on that information as the sole indicator of an event. This example just reinforces that issue and that the date/time you expect to find might not be what you actually find because of the way an application handles it.

The above scenario has been tested in all versions of Windows XP, SP1-3.

Having the above information in mind, if you took a new USB flash device and formatted it in Windows XP with the NT file system, what would you expect to be stored as the created date/time for the file system? your localtime or GMT?

Sunday, May 24, 2009

Harvest Keywords EnScript

This is a follow-up to the post I made on April 28 regarding the "Maine State Police - Keyword Search" EnScript.

This EnScript harvests keywords from selected files in EnCase. If you have a collection of contraband images, movies or whatever, you can load them into EnCase and then use this EnScript to generate a keyword list from a specific offset in each file. The original concept is to extract a unique keyword from somewhere in the middle of each contraband file to be used to positively identify it. Avoid using generic locations such at the header, which would get you hits of that file type, but they may not be contraband. The concept relies on the fact that you have a keyword from the original contraband file(s) that you can use to generate the keyword list (a kind of unique signature), then the original "Main State Police - Keyword Search" EnScript searches each cluster, in just the offset your keyword was harvested from to help reduce the time it takes and positively identify contraband, reducing the need to review every hit.

To use, just blue-check whatever files you wish to harvest keywords from:

Once selected, run the EnScript and pick the offset and size of the keyword. The longer the keyword harvested, the more unique and less chance of false positive hits.

A text file is created with whatever name you specify and the Length (LEN) and Offset (OFF) are appended to the filename, as well as the date and time to avoid accidentally overwriting an existing keyword list:

The list of keywords generated are displayed in the Console Tab of EnCase and can be viewed with notepad:

The generated keyword list can then be used with the EnScript posted on April 28th.

Download here

Computer Forensics, Malware Analysis & Digital Investigations

Random Articles