Difference between pages "Plaso" and "MAC times"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
(File Formats)
 
 
Line 1: Line 1:
{{Infobox_Software |
+
The term '''MAC times''' refers to the timestamps of the latest ''modification'' (mtime) or last written time, ''access'' (atime) or ''change'' (ctime) of a certain file.
  name = plaso |
+
  maintainer = [[Kristinn Gudjonsson]], [[Joachim Metz]] |
+
  os = [[Linux]], [[Mac OS X]], [[Windows]] |
+
  genre = {{Analysis}} |
+
  license = {{APL}} |
+
  website = [https://code.google.com/p/plaso/ code.google.com/p/plaso/] |
+
}}
+
  
Plaso (plaso langar að safna öllu) is the Python based back-end engine used by tools such as log2timeline for automatic creation of a super timelines. The goal of log2timeline (and thus plaso) is to provide a single tool that can parse various log files and forensic artifacts from computers and related systems, such as network equipment to produce a single correlated timeline. This timeline can then be easily analysed by forensic investigators/analysts, speeding up investigations by correlating the vast amount of information found on an average computer system. Plaso is intended to be applied for creating super timelines but also supports creating [http://blog.kiddaland.net/2013/02/targeted-timelines-part-i.html targeted timelines].
+
[[Unix]] systems maintain the historical interpretation of ''ctime'' as the time when certain file metadata, not its contents, were last changed, such as the file's permissions or owner (e.g. 'This files metadata was changed on 05/05/02 12:15pm').
  
The Plaso project site also provides [[4n6time]], formerly "l2t_Review", which is a cross-platform forensic tool for timeline creation and review by [[David Nides]].
+
[[Windows]] systems are the only systems that use ''birth'' (btime) or creation (crtime) time (e.g. 'This file was created on 05/05/02 12:15pm'). Hence MACB; Modification, Access, Change and Birth.
  
== Supported Formats ==
+
In [[NTFS]] each file has a time stamp for 'Create', 'Modify', 'Access', and 'Entry Modified'. The latter refers to the time when the MFT entry itself was modified. These four values are commonly abbreviated as the 'MACE' values.
  
=== Storage Media Image File Formats ===
+
Other file systems like [[HFS+|HFS]] include different timestamps like e.g. a backup time.
Storage Medis Image File Format support is provided by [[dfvfs]].
+
  
=== Volume System Formats ===
+
== Time resolution ==
Volume System Format support is provided by [[dfvfs]].
+
When dealing with MAC times it's important to know and understand the concept of time resolution.
  
=== File System Formats ===
+
On [[FAT]] file system (in Windows NT):
File System Format support is provided by [[dfvfs]].
+
* the creation time has a resolution of 10 milliseconds,
 +
* the last written time has a resolution of 2 seconds,
 +
* and the access time has a resolution of 1 day.
  
=== File Formats ===
+
On NTFS, access time has a resolution of 1 hour [http://msdn.microsoft.com/en-us/library/ms724284.aspx].
* [[Property list (plist)|Binary property list (plist) format]] using [[binplist]]
+
* [[Extensible Storage Engine (ESE) Database File (EDB) format]]using [[libesedb]]
+
* [[Internet Explorer History File Format]] (also known as MSIE 4 - 9 Cache Files or index.dat) using [[libmsiecf]]
+
* [[OLE Compound File]] using [[libolecf]]
+
* [[Windows Event Log (EVT)]] using [[libevt]]
+
* [[Windows NT Registry File (REGF)]] using [[libregf]]
+
* [[LNK|Windows Shortcut File (LNK) format]] using [[liblnk]]
+
* [[Windows XML Event Log (EVTX)]] using [[libevtx]]
+
* Syslog
+
  
<b>TODO expand this list</b>
+
== Access Time Update ==
 +
On various operating systems the update of the access time can be disabled. This means when a file is accessed the atime in the corresponding file system entry is not updated.
  
== History ==
+
=== [[Windows]] ===
Plaso is a Python-based rewrite of the Perl-based [[log2timeline]] initially created by [[Kristinn Gudjonsson]]. Plaso builds upon the [[SleuthKit]], [[libyal]] and other projects.
+
 
 +
In Windows the access time behavior is controlled by the registry key:
 +
<pre>
 +
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\FileSystem\NtfsDisableLastAccessUpdate
 +
</pre>
 +
 
 +
Where a value of ''1'' indicates the access time update being disabled.
 +
 
 +
This is the default setting as for [[Windows]] Vista.
 +
 
 +
=== [[Linux]] ===
 +
 
 +
In Linux the ''noatime'' mount option indicates the access time update should be disabled.
  
 
== See Also ==
 
== See Also ==
* [[dfvfs]]
+
 
* [[log2timeline]]
+
* [[Timestomp]]
  
 
== External Links ==
 
== External Links ==
* [https://code.google.com/p/plaso/ Project site]
+
 
* [https://sites.google.com/a/kiddaland.net/plaso/home Project documentation]
+
* [http://en.wikipedia.org/wiki/MAC_times Wikipedia: MAC times]
* [http://blog.kiddaland.net/ Project blog]
+
* [http://www.drdobbs.com/what-are-mactimes/184404275 What Are MACtimes?], by Dan Farmer, Oct 2000
* [https://sites.google.com/a/kiddaland.net/plaso/usage/4n6time 4n6time]
+
 
 +
=== NTFS ===
 +
* [http://www.winguides.com/registry/display.php/50/ Disable the NTFS Last Access Time Stamp]
 +
* [http://support.microsoft.com/kb/299648 Microsoft KB 299648: Description of NTFS date and time stamps for files and folders]

Latest revision as of 09:20, 11 June 2014

The term MAC times refers to the timestamps of the latest modification (mtime) or last written time, access (atime) or change (ctime) of a certain file.

Unix systems maintain the historical interpretation of ctime as the time when certain file metadata, not its contents, were last changed, such as the file's permissions or owner (e.g. 'This files metadata was changed on 05/05/02 12:15pm').

Windows systems are the only systems that use birth (btime) or creation (crtime) time (e.g. 'This file was created on 05/05/02 12:15pm'). Hence MACB; Modification, Access, Change and Birth.

In NTFS each file has a time stamp for 'Create', 'Modify', 'Access', and 'Entry Modified'. The latter refers to the time when the MFT entry itself was modified. These four values are commonly abbreviated as the 'MACE' values.

Other file systems like HFS include different timestamps like e.g. a backup time.

Time resolution

When dealing with MAC times it's important to know and understand the concept of time resolution.

On FAT file system (in Windows NT):

  • the creation time has a resolution of 10 milliseconds,
  • the last written time has a resolution of 2 seconds,
  • and the access time has a resolution of 1 day.

On NTFS, access time has a resolution of 1 hour [1].

Access Time Update

On various operating systems the update of the access time can be disabled. This means when a file is accessed the atime in the corresponding file system entry is not updated.

Windows

In Windows the access time behavior is controlled by the registry key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\FileSystem\NtfsDisableLastAccessUpdate

Where a value of 1 indicates the access time update being disabled.

This is the default setting as for Windows Vista.

Linux

In Linux the noatime mount option indicates the access time update should be disabled.

See Also

External Links

NTFS