RE: [sleuthkit-users] Honeynet Forensic Challege TimeStamping
Brought to you by:
carrier
Menu
▾
▴
RE: [sleuthkit-users] Honeynet Forensic Challege TimeStamping
|
From: Surago J. <su...@sj...> - 2005-09-06 18:18:47
|
That was supposed to say 'an important event' not 'an import event' =20 :-) =20 ________________________________ From: sle...@li... [mailto:sle...@li...] On Behalf Of Surago Jones Sent: Wednesday, 7 September 2005 05:47 To: sle...@li... Subject: [sleuthkit-users] Honeynet Forensic Challege TimeStamping =20 Just a quick query for anyone that may have attempted the Forensic Challenge available from the Honeynet Project (http://www.honeynet.org/challenge/index.html) =20 I have just created a timeline within Autopsy v2.05 and upon comparing my times to the times in the answers provided by The Honeynet Projects analysis (http://www.honeynet.org/challenge/results/dittrich/evidence.txt) an import event (The first modification made) I note that my results differ by two hours. =20 Their first detail looks like this.. =20 Nov 08 00 06:26:15 0 m.c -rw-r--r-- root root /t/etc/hosts.deny =20 Where as the same command in my timeline is as follows... =20 Wed Nov 08 2000 08:26:15 0 m.c -/-rw-r--r-- root root 26217 /etc/hosts.deny =20 I have just checked Brian Carriers results and he also gets 08:26:15 within his timeline, and I am just wondering why there is a difference of two hours between the two results. It was my understanding the time zone for the compromised image was GMT-0600, so I setup my host using 'CST6CDT'. =20 I also just checked some of the other contributors timelines, and a few match what I have, where as others are quite different for the hours (i.e. a couple people state the above modification occurs at 15.26:15 on the same day.) =20 What are the implications of performing an analysis on a system when it is possible the analysis will be performed in different parts of the world with varying time zones? How important is it to be completely accurate with time information, especially if when peer reviewed by people in different time zones different times could be provided? Does this merely point out the importance of proper procedure when establishing the correct 'time zone' of a compromised machine? =20 I am not aware of the technical experience, or expertise of the contributors to this challenge but it does come across as a very important point, especially when one would hope that with correct process and procedure another Forensic Examiner could arrive at the same conclusion (Or times as this case may be) =20 Any thoughts/ideas/comments would be appreciated, especially so if anyone here had attempted the forensic challenge itself. =20 Cheers =20 Surago. |
