Difference between pages "Timestomp" and "Defense Cyber Crime Institute"

From Forensics Wiki
(Difference between pages)
Jump to: navigation, search
 
m (Removed expansion template)
 
Line 1: Line 1:
{{Expand}}
+
The '''Defense Cyber Crime Institute''', or '''DCCI''', is the Research and Development section of the [[Defense Cyber Crime Center]] based in Linthicum, Maryland. They not only develop new tools, but also rigorously test existing tools to make sure they meet the standards for DoD investigations. The DCCI consists of four branches:
 +
* Research, Development, Testing & Evaluation - Develops new tools and tests exitsing ones.
 +
* Analysis and Assessment
 +
* Plans and Policy
 +
* Outreach - Work with other [[:Category:Federal investigative agency|federal agencies]], academia, the intelligence community, and industry
  
[[Image:timestomp_mace.jpg|thumb|100px|right|Timestomp MACE Values]] Timestomp is a utility co-authored by developers [[James C. Foster]] and [[Vincent Liu]].  The software's goal is to allow for the deletion or modification of time stamp-related information on files.  Take for example the following screenshot of a command prompt window displaying the MACE values for a document file titled "text.txt".  There are (4) four date time and date stamps displayed that are useful to Forensic Examiners in reconstructing when data was last modified, accessed, created, or entered into the NTFS Master File Table by the Operating system or manually by the user.
+
== DCCI Dispatch ==
  
 
+
The DCCI dispatch is a post-only mailing list, updated once a day, with news stories relating to computer crime investigations, the Department of Defense and the U.S. Government. Anyone can subscribe to the list via the [http://dc3.mil/dcci/dispatch.htm DCCI Dispatch website].
[[Image:timestomp_mace_change.jpg|thumb|100px|right|Timestomp MACE Change]] Using the Timestomp application, I have completely changed the modified date and time stamp (i.e., evidenced by the second screenshot).  If I were to change it, along with the other entries to more believable dates and times, then the validity of the document falls into question as does its ability to completely slip by an examiner's watchful eye if looking for modified files in an entirely different year or date span.
+
 
+
 
+
[[Image:timestomp_mace_change_proof.jpg|thumb|100px|right|Timestomp MACE Change Proof]] Here is a final screenshot of the Operating System's interpretation of the Modified time stamp. It reflects the change exactly.
+
 
+
 
+
Note: Although this program is designed to frustrate forensic analysis, it should be noted that its use can be easily detected. Because the program can delete all time stamp information, the lack of time stamp values would lead an examiner to the conclusion that something is amiss on the system. Microsoft-based Windows operating system record at least some timestamp information. The total absence of such is a dead giveaway that a user has tried to hide something. On the flipside, if the values are simply changed to believable values, then there is little chance of the change(s) being noticed at a casual glace.
+
  
 
== External Links ==
 
== External Links ==
* [http://www.metasploit.com/projects/antiforensics/timestomp.exe Download Timestomp.exe]
+
* [http://dc3.mil/dcci/dcci.htm Official website]
* [http://www.blackhat.com/presentations/bh-usa-05/bh-us-05-foster-liu-update.pdf Presentation at Blackhat 2005]
+
 
+
[[Category:Anti-forensics tools]]
+

Revision as of 07:53, 21 April 2007

The Defense Cyber Crime Institute, or DCCI, is the Research and Development section of the Defense Cyber Crime Center based in Linthicum, Maryland. They not only develop new tools, but also rigorously test existing tools to make sure they meet the standards for DoD investigations. The DCCI consists of four branches:

  • Research, Development, Testing & Evaluation - Develops new tools and tests exitsing ones.
  • Analysis and Assessment
  • Plans and Policy
  • Outreach - Work with other federal agencies, academia, the intelligence community, and industry

DCCI Dispatch

The DCCI dispatch is a post-only mailing list, updated once a day, with news stories relating to computer crime investigations, the Department of Defense and the U.S. Government. Anyone can subscribe to the list via the DCCI Dispatch website.

External Links