Re: [sleuthkit-users] Honeynet Forensic Challege TimeStamping

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

Timezones were harder to deal with when the challenge came out many =20
years ago. Most tools did not allow you to set the timezone for the =20
image and therefore to get accurate times you had to change the =20
timezone on the actual analysis system.  I think most tools have now =20
changed that.

brian

On Sep 6, 2005, at 12:46 PM, Surago Jones wrote:

> Just a quick query for anyone that may have attempted the Forensic =20
> Challenge available from the Honeynet Project (http://=20
> www.honeynet.org/challenge/index.html)
>
>
>
> I have just created a timeline within Autopsy v2.05 and upon =20
> comparing my times to the times in the answers provided by The =20
> Honeynet Projects analysis (http://www.honeynet.org/challenge/=20
> results/dittrich/evidence.txt) an import event (The first =20
> modification made) I note that my results differ by two hours.
>
>
>
> Their first detail looks like this..
>
>
>
> Nov 08 00 06:26:15        0 m.c -rw-r--r-- root     root     /t/etc/=20=

> hosts.deny
>
>
>
> Where as the same command in my timeline is as follows=85
>
>
>
> Wed Nov 08 2000 08:26:15        0 m.c -/-rw-r--r-- root     =20
> root     26217    /etc/hosts.deny
>
>
>
> I have just checked Brian Carriers results and he also gets =20
> 08:26:15 within his timeline, and I am just wondering why there is =20
> a difference of two hours between the two results.  It was my =20
> understanding the time zone for the compromised image was GMT-0600, =20=

> so I setup my host using =91CST6CDT=92.