Time is relative, and that’s certainly the case with a computer’s internal clock. In this video, you’ll learn how operating systems count time and how a computer’s timezone setting can change how you look at data.
<< Previous Video: Capturing VideoNext: Taking Hashes >>
So what time is it? Well statistically speaking, you’re probably in a different time zone than me. You’re certainly watching this video at a different time than I recorded it. There’s a difference there. And so when you’re dealing with time, you have to be very precise and very specific about when you saw something, how you saw it, when a file was saved, when a file was accessed.
One of the things we want to look at are the offsets of time. Now if this is the Windows operating system for instance, Windows uses a 64-bit time stamp. And it’s a time stamp that counts the number of 100 nanosecond intervals that have occurred since January 1 of the year 1601 at 00:00:00 GMT. Obviously, this means that it’s going to stop working in about– oh, I don’t know– 58,000 years. So if anything, Microsoft was thinking ahead of the game here. You aren’t going to run out of time any time in the next 58,000 years. Maybe by then, we’ll have a different time stamp we can work with.
In Unix, or Linux, we have a 32-bit time stamp to deal with. This recognizes the number of seconds that have occurred since January 1 of 1970 at zero GMT. Now notice that this is a 32-bit time stamp, which means it’s going to stop working soon. We don’t have that many numbers or seconds that we can deal with here. So it’s going to stop working on Monday, December 2 of 2030.
Now if you were around for Y2K, this will be the next one we have to deal with. Y2K plus 30, I guess you can call it. At 7:00 PM, 7:42:58. 19:42:58 GMT. So there’s your challenge there, is that the timestamps notice between Windows and Linux or Unix based systems– POSIX-based systems– very different in the way that they count what time it is.
And when you sit down in front of the computer and you’re looking at the file and the timestamps, there’s also differences on how the operating system is storing those. And different file systems store timestamps differently, and file allocation table– the FAT table– time is stored in local time. That means that whatever the local time is on your computer. If it’s five in the afternoon your time, it stores it as five in the afternoon. You have to keep that in mind when you’re looking at the time stamps.
If you’re using NTFS, the time is stored as GMT. And your operating system changes the time on the fly to show you what your local time is, but the reality is the time stamp of the file is in GMT. So that’s another thing to keep track of from a forensics perspective.
You also when you sit down in front of these computers, then you have to know what time zone is configured on the computer, so that when you’re looking at a screen shot of timestamps, you understand relative to GMT what the actual time is. So you want to look at the Windows registry, which is the ultimate source of where this is stored in Windows. And there are many different values in the registry, because you can set a time, you can set what your time zone is, you can set whether you’re going to have daylight saving time take effect there, whether it’s going to time change information automatically or not. There’s a lot to the time.
So by storing this and looking at the time, the clock on your computer, you also need to understand what the offset is set to, and then you’ll be able to have everything go back to one relative time stamp. Usually GMT is one that we’re very commonly using as a standard relative time stamp. But you can see here now how important it is when you’re collecting data to make sure you have the correct time and you understand what the time offset is of that computer.