Re: Creation / modification / access dates

From: Andrew Sheldon (forensicsat_private)
Date: Mon Jul 14 2003 - 12:13:26 PDT

Next message: Valdis.Kletnieksat_private: "Re: Creation / modification / access dates"

Previous message: Valdis.Kletnieksat_private: "Re: Creation / modification / access dates"
In reply to: Valdis.Kletnieksat_private: "Re: Creation / modification / access dates"
Next in thread: Valdis.Kletnieksat_private: "Re: Creation / modification / access dates"
Next in thread: Robert Goto: "RE: More on possible remnants of wiping .."
Reply: Valdis.Kletnieksat_private: "Re: Creation / modification / access dates"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hmmm.

>> >.... Obviously, this is keyed to the BIOS of the computer used to write
>the  CD.
>
>Umm.. No. It's NOT keyed to that BIOS.  It's not keyed to ANYTHING.
>

What I *intended* (and assumed everyone in the forensics list would already understand as a fundamental principle) was that ALL dates or times applied to ANY file activity would be dependant upon the current system clock (the real time clock) of the system controlling the activity. Therefore, all dates and times should be treated as suspicious. 

Agreed, I should have been more specific (RTC rather than BIOS) but, given the above, I believe the original question was... 
"Firstly, is there any way to determine the creation date of a CD-ROM - is that information stored somewhere as part of the CDFS?"
...and I believe I indicated two sources of "possible" dates and times. 

Trust them or throw them out - the dates are open to question but they ARE there to be seen. :-)

Andy

*********** REPLY SEPARATOR  ***********

On 14/07/2003 at 14:39 Valdis.Kletnieksat_private wrote:

>On Mon, 14 Jul 2003 19:17:22 BST, Andrew Sheldon said:
>> Indeed. I agree wholeheartedly - Thats why I said...
>> >.... Obviously, this is keyed to the BIOS of the computer used to write
>the  CD.
>
>Umm.. No. It's NOT keyed to that BIOS.  It's not keyed to ANYTHING.
>
>This laptop has a CD burner on it.  It's also not running Windows.  Want to
>make any guesses how many bits of the CDROM it burns are keyed to the BIOS?
>
>(To be pedantic about it, if the timestamp  is keyed to ANYTHING on my
>laptop,
>it's keyed to the current system time on the host tick.uh.edu, since that's
>where my NTP chain goes back to, though of course if I was feeling evil I'd
>kill NTP and set the system time/date by hand....)
>
>Remember - if I'm an attacker, you have to assume that any CD I burn is
>like an
>episode of the Outer Limits - I control the horizontal and the vertical. ;)
>*Every single* bit on the CD is suspect unless you can *prove* otherwise...
>
>
>-----BEGIN PGP SIGNATURE-----
>Version: GnuPG v1.2.2 (GNU/Linux)
>Comment: Exmh version 2.5 07/13/2001
>
>iD8DBQE/Evj8cC3lWbTT17ARAuPdAJsFUrKGuw+5/G7mUkC1cTafjvUjVACfZFyg
>kVIZvixw4+VjVpi4OFPkz/o=
>=woXm
>-----END PGP SIGNATURE-----

-----------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Valdis.Kletnieksat_private: "Re: Creation / modification / access dates"
Previous message: Valdis.Kletnieksat_private: "Re: Creation / modification / access dates"
In reply to: Valdis.Kletnieksat_private: "Re: Creation / modification / access dates"
Next in thread: Valdis.Kletnieksat_private: "Re: Creation / modification / access dates"
Next in thread: Robert Goto: "RE: More on possible remnants of wiping .."
Reply: Valdis.Kletnieksat_private: "Re: Creation / modification / access dates"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon Jul 14 2003 - 13:05:13 PDT