Case 001 – The Timing of it All

February 3, 2021 Guidance, Labs, Sage Advice, The Hunt
7,044 views
Reading Time: 5 minutes

The Timing of It All

Lining Up the Timelines of the Artifacts

There is a curveball in the data!!

** Warning: This will contain spoilers.**

If you are turbo hardcore and do not want to spoil the initial vector then simply take this away: The hosts were set to incorrectly set to Pacific Time while the Network Infrastructure was correctly tracking Mountain Time. This means host telemetry will be 1 hour ahead of the network telemetry. The network events have the right time stamps. In other words: if Event A occurred at 0100 hours GMT it would be timestamped in the PCAP as 0100 hour GMT while showing as 0200 hours GMT in the host logs. 

We know the victim network resides in Colorado. We also know that the incident occurred in September 2020. This means that the incident occurred on Systems in Mountain Time. It happened in September 2020. This means the systems should have been set to Mountain Time with a GMT offset of -6 hours. The issue is events on the host were being logged at local time plus 7 hours when they should have been adding 6.

This is a scenario meant for training! It is just another toy on the playground.

Let the Tools Work for You

Nearly every forensic tool is able to do some form of time correction. Psort.py for example (used in the Super Timeline Creation Process) can simply output the timeline at GMT -1. Event Log explorer can shift times by adding 5 hours. Both of these corrections will correctly adjust the times of the host logs to correctly represent the actual UTC time from the incident.

The Time Correction option can be found under the View menu in Event Log Explorer.

The following example shows how the time is corrected for the same event; when the DC Joined the Domain:

The time zone option can easily be adjusted when using Psort to create timeline CSV’s. Such adjustments easily produce results like the following:

In both cases we see the same events adjusted to show the correct UTC time. Nearly every forensic tool has this ability. Analysts would be wise to find these options when needed. To understand how to determine when such a technique is required is explained below.

Registry Analysis of Time Zone Settings for the Victim

Once the SYSTEM hive (and its Log Files) is on your Windows Forensics host open it with Eric Zimmerman’s Registry Explorer. Remember to stay organized and place them into a folder that makes sense. Don’t drop them on the desktop like a bad admin.

A good habit in forensics is to verify your theories or what you are being told. In this case we see the host is set to Pacific Time. You will see that many tools are prone to error in that they are simply taking the event time and adjusting it according to the system’s GMT offset. The tools are set up to fail when the machine has the wrong time zone, but the correct local time set. In this case the system’s clocks were properly set to the time in Colorado (GMT -6 U.S. Mountain Time), but the system was set to U.S. Pacific Time (GMT -7).

We have now verified that the hosts had their time zone set incorrectly.

Timeline Calibration

There are two main categories of forensic artifacts in this case, network data and host data. If an investigator tried to line up the network events with the host events they would seem off at first. If analyzed as separate exercises this is not a problem. Lets examine a few items of each.

Tools are fallible

DC01 Imageinfo

Above: Image from the Memory Analysis walkthrough showing the meta data related to the memory capture from the domain controller. The highlighted number 5 shows the collection time according to the tool.

The memory was collected at 2139 Colorado Time at -6 GMT. The investigator that collected the memory from this system took really good notes.

The memory image info says that it occurred at 2139 at -7 GMT, September 18, 2020.

Think about what is happening here. The local time was recorded correctly. However, the GMT is incorrect because the tool is calculating the GMT from the local time and adding the offset it believes is correct! The GMT should have read 0339 on September the 19th.

One Event Two Perspectives (Small Spoiler)

We have confirmed that the incorrect Time Zone setting has indeed affected the collection of the memory from the hosts. To compare and see how the network and host timelines may line up we need to look at the same event from two angles. Lets examine RDP Activity involving the Domain Controller DC01.

The image above shows 2 distinct groupings of events as seen from the DC01’s Operating System and the networks outside router. While these events do not line up exactly line for line the groupings of these events absolutely do. The host logs and the network logs show a flurry of RDP events that end around 21 minutes and 46 seconds past the hour, and another singular event approximately at 22 minutes and 7 seconds past the following hour. This proves that the hosts are logging things incorrectly one hour later than when they really occurred. In other words the PCAP has the correct hour for the time.

Analyst will have the best results in their analysis, and reporting, if they let the tools do the work for them as demonstrated at the beginning of this section.

Leave a Reply

Additional Resources

Archives