What Time Are You Anyway?

DEF CON 19

Presented by: Michael Robinson
Date: Friday August 05, 2011
Time: 14:00 - 14:50
Location: Track 2
Track: Track 2

Computer forensic examiners rely heavily on timestamps during investigations. Timeline analysis is a critical technique in determining what happened and when. In 2005, timestomp.exe was released and this gave non-observant investigators a run for their money. Unfortunately, there are some gaps in what timestomp.exe will do. Observant investigators can identify timestomping and recover from that activity. Good timestomping requires knowing what time values need to get trashed, where these times are stored, AND what supporting artifacts need to be altered. This presentation examines several file systems and operating systems and identifies what needs to be tweaked in order to effectively hide one's tracks.

Michael Robinson

Michael Robinson has over 15 years of computer security experience and is currently a computer forensic examiner in the Washington, DC area, where he deals with e-discovery and intrusion analysis. For over four years he ran IT and IA operations for a Department of Defense agency. He teaches computer forensics at the graduate level at Stevenson University in Maryland. He earned two masters degrees - one in computer forensics and one in information security.


KhanFu - Mobile schedules for INFOSEC conferences.
Mobile interface | Alternate Formats