As the technical lead for digital forensics and cyber of Envista forensics, I found that legally trained individuals could benefit from an article discussing system times and metadata. In almost every case be it fraud or a cyber-incident deciphering and interpretation of metadata is important in answering questions relating to a case. Prior to understanding metadata, one must also understand preservation and the field holistically.
Much of what digital forensics deal with is hidden to a standard user and often perpetrators. Records and timestamps are created unwittingly, like “footprints in the snow”. If handled without care the snow will melt, and the evidence will be lost forever; if misinterpreted then the real truth of that file’s origin can spell disaster if the artefact is ever questioned during a trial.
What is Digital Forensics?
- Digital forensics is an umbrella term for:
- Ransomware, hacking and cyber-related claims
- computers and data storage devices
Mobile Phone Forensics
- mobile phones, tablets, pads
Cell Site Location and Tracking
- Location-based data from historical records
- GPS units in cars, boats, trucks, aviation
CCTV Video Recovery and Enhancement
- CCTV Surveillance systems, data recovery
Selecting an Expert
When selecting an expert, it is important to note if that individual has court experience, certifications and experience in the relevant fields required for the case. It is also noteworthy to mention the difference between a general ‘Computer Expert’ and a ‘Digital Forensics Expert’. A computer expert may be adept at configuration, virus detection and networking of devices but lacks the credentials for the preservation of data, the tools for analysis and importantly the interpretation of the digital artefacts uncovered in an investigation. Digital forensics can be summarised as “The process of identifying, preserving, analysing and presenting digital evidence in a manner that is legally acceptable in any judicial or administrative hearing.”
Essential questions in an investigation are the Who? What? Where? Moreover, When? Metadata, data about data, can help us answer these questions in an inquiry.
A file or log time is only as accurate as the system it was produced on. Before an examiner forensically acquires data, they should also document the system time vs the actual time as to explain any time-related anomalies on the subsequent data in the analysis. A system can mean a computer, phone, GPS or even such items as a digital camera. If these are set wrong, then you may see artefacts created on dates such as 01/01/1970 which is impossible as the devices wouldn’t have been invented at that date. In that example, the time has reset to the default value in Unix milliseconds which start at this particular date. This can happen in computers or devices that use a battery, typically a lithium button or others of that type, that has gone flat. This battery powers what is called a CMOS clock which keeps the system time despite the item being powered off. Unscrupulous crooks can change system or operating system times, but a competent examiner can find the truth by examining logs to indicate time change, incorrect date orders in the contiguous MFT logs that are numbered sequentially (but have a sudden shift back and throw from), in respect to dates and inside cookies, times on news websites in internet browsing cached records or internal metadata clues such as a ‘Last Printed Date’ after a ‘Last Saved’ date. Cookies on a server can have the date stamped inside the file from a web browsing session if there is a mismatch for the file cookie date/time the visited server date/time, then this is a major red flag. Cookies are created when one visits websites such as eBay, so the user actions such as items placed into the virtual shopping cart are logged and remembered by the system. These unwittingly collected artefacts are often the curse of many a culprit or the blessing to those who wish to prove they visited or performed actions such as a digital alibi in a murder case “I wasn’t at that location, I was at home playing on my Xbox” is one example.
Forensic Collection Best Practice
Examiners go to great lengths to preserve the ‘digital snow’ and make sure that they leave no ‘footprints’ and if they do provide the location and reasoning. Imagine a murder scene where the forensic team march in wearing muddied boots and end up getting the case dismissed on procedural grounds. The same can happen when neophytes attempt to examine a live computer without first collecting, documenting and preserving the data. The expert would either use a forensic boot DVD or USB or take the disk out and place it into a device to block any writes to the system. Just plugging a disk into another system leaves traces of this event.
A complete copy of the physical disk’s data is taken and a digital fingerprint – often an MD5 hash sum is produced to verify its integrity compared to the original. The examination is taken on a backup copy of the image taken rather than the original disk so as to preserve the integrity of this item. An exception to this is on the live server; this can be copied using a unique copy tool that protects file times and retries if a file is locked and in use. If the disk is encrypted, then the Random Access Memory which is lost when a system is powered off is imaged as the password key, and other data may reside in there. Powering off, in this case, may lead to a full forensic image that is unusable without a password. In those cases, logs must be taken to note any changes, albeit minimal, made to the system. When determining the integrity of even one document the whole system used to produce that document must be considered.
Time Data Locations
Time data is found outside files as MAC times but also inside system logs, web browser cache and office documents to name a few. All Electronically stored information is subject to timestamping. When the times are discovered externally, they are called MAC times and internally ‘MetaData’ – data about data. This data is created autonomously, but it can be tampered with and is volatile in terms of being able to be changed accidentally. Hence the need for a documented forensic collection procedure.
MAC (Modified Accessed and Created) File Time Stamps
Files have external timestamps and these are the (i) Modified date: The date an item was changed and the change was saved (ii) Accessed date: The date an article was first accessed either by a user or by an automatic action such as a virus scan and the (iii) Created date: This should be thought of as the ‘Born on that Location’ date. This is the date the item was created at that location. For example, if a file time stamp has been modified before it was created, then it was likely copied to the new location by a user or a backup restore process. From these, we can decipher when a file arrived on a system, how, when/if it was changed and if it was accessed. These vary from Mac, Windows and Linux and care must be taken before making assumptions.
Internal File Specific Metadata
There is a plethora of file types found on a computer. Microsoft Word documents carry details such as Author, Last Printed and Last Saved which can tell us the history of the file. Digital photograph metadata can list fields such as Camera make and model, the date and time the photo is taken, and those with GPS chips, the location of the photo. All these records can be tied into a chronology in order to ascertain user action, and then displayed in a way that the layperson can decipher the user action, time of the operation and sometimes the approximate location. Examiners use tools such as ‘logtotimeline’ to do this. In a recent ransomware case this technique was used to promptly pinpoint that: 1) Malware was downloaded from the internet by user A; 2) The malware was opened by user B; 3) The file was undetected by the Anti-Virus software; 4) The threat spread and exfiltrated date to a remote location and; 5) Deleted itself leaving no apparent physical trace.
System and file times must be preserved by forensic collection and analysis as data is highly volatile in its live state. Hiring general IT staff for review should be avoided as anomalies and changes can usually be spotted easily by a digital forensic expert but overlooked by the uninitiated. Determination of a file’s origins and integrity must follow a full collection of the system in most cases and complete forensic examination.
Details of the Author
Alistair Ewing has over eight years of experience in Digital Forensic Analysis, Data Recovery, Mobile Phone Forensics, Litigation Support, and has served as an Expert Witness in criminal and civil cases in the UK. Mr Ewing began performing digital forensics in 2011 and has had hundreds of hours of experience in this sector. Qualified as an expert witness for some years and vetted by Sweet and Maxwell he has presented evidence in tribunals, civil and criminal courts in the UK and been involved in corporate investigations, litigation support and collections.