Adjusted times and Original times are the same on NTFS

Tool requests, development, and troubleshooting topics related to TSK.

Moderator: carrier

Adjusted times and Original times are the same on NTFS

Postby rmistero » Wed Aug 19, 2015 10:23 pm

hello

While using TSK 4.1.3, I noticed that if adjusting the time, the Adjusted times and Original times were the same.
I have searched in doc, forums, google.. but no mention of this or whether it is the expected behaviour.

What do the MAC times under "Original times" represent ?

Example : Adjusted istat by using -s -12 ( system is 12 sec behind ), I see

Adjusted times:
Created: 2015-08-18 18:08:21 (BST)
File Modified: 2015-08-18 18:08:21 (BST)
MFT Modified: 2015-08-18 18:08:21 (BST)
Accessed: 2015-08-18 18:08:21 (BST)

Original times:
Created: 2015-08-18 18:08:21 (BST)
File Modified: 2015-08-18 18:08:21 (BST)
MFT Modified: 2015-08-18 18:08:21 (BST)
Accessed: 2015-08-18 18:08:21 (BST)

The mac times without adjustment was

Created: 2015-08-18 18:08:09 (BST)
File Modified: 2015-08-18 18:08:09 (BST)
MFT Modified: 2015-08-18 18:08:09 (BST)
Accessed: 2015-08-18 18:08:09 (BST)

Looking into the source code I see :

https://github.com/sleuthkit/sleuthkit/ ... /fs/ntfs.c

if (sec_skew != 0) {
tsk_fprintf(hFile, "\nAdjusted times:\n");
if (fs_file->meta->mtime)
fs_file->meta->mtime -= sec_skew;
if (fs_file->meta->atime)
fs_file->meta->atime -= sec_skew;
if (fs_file->meta->ctime)
fs_file->meta->ctime -= sec_skew;
if (fs_file->meta->crtime)
fs_file->meta->crtime -= sec_skew;

tsk_fprintf(hFile, "Created:\t%s\n",
tsk_fs_time_to_str(fs_file->meta->crtime, timeBuf));
tsk_fprintf(hFile, "File Modified:\t%s\n",
tsk_fs_time_to_str(fs_file->meta->mtime, timeBuf));
tsk_fprintf(hFile, "MFT Modified:\t%s\n",
tsk_fs_time_to_str(fs_file->meta->ctime, timeBuf));
tsk_fprintf(hFile, "Accessed:\t%s\n",
tsk_fs_time_to_str(fs_file->meta->atime, timeBuf));

if (fs_file->meta->mtime == 0)
fs_file->meta->mtime += sec_skew;
if (fs_file->meta->atime == 0)
fs_file->meta->atime += sec_skew;
if (fs_file->meta->ctime == 0)
fs_file->meta->ctime += sec_skew;
if (fs_file->meta->crtime == 0)
fs_file->meta->crtime += sec_skew;

tsk_fprintf(hFile, "\nOriginal times:\n");
}

tsk_fprintf(hFile, "Created:\t%s\n",
tsk_fs_time_to_str(fs_file->meta->crtime, timeBuf));
tsk_fprintf(hFile, "File Modified:\t%s\n",
tsk_fs_time_to_str(fs_file->meta->mtime, timeBuf));
tsk_fprintf(hFile, "MFT Modified:\t%s\n",
tsk_fs_time_to_str(fs_file->meta->ctime, timeBuf));
tsk_fprintf(hFile, "Accessed:\t%s\n",
tsk_fs_time_to_str(fs_file->meta->atime, timeBuf));
}

It looks like Original times are adjusted if skew is different than 0, am I missing something?
rmistero
 
Posts: 2
Joined: Wed Aug 19, 2015 10:07 pm

Re: Adjusted times and Original times are the same on NTFS

Postby rmistero » Thu Aug 20, 2015 2:42 pm

This is bug actually ( same problem with ext3, it seems all fs are affected). I found out why ..

###CORRECTION###
I downloaded the source code form github and compiled. There was no problem.
##################
When I recompiled, I didn't realised I was in the develop branch instead of master ( 4.1.3 which is installed on Kali)

It is already fixed actually in dev branch, the problem is not the bracket but the conditions to calculate the orig times.

In dev branch the following changed happened between commits 4f412581bbca97d4c3c47d5992f193ab21f84a68 and 59175450537f2bef18dffee1be10ad6c219f2835

59175450537f2bef18dffee1be10ad6c219f2835 non-ext2 istat: undo sec_skew subtraction only on valid times

- if (fs_file->meta->mtime == 0)
+ if (fs_file->meta->mtime)
fs_file->meta->mtime += sec_skew;
- if (fs_file->meta->atime == 0)
+ if (fs_file->meta->atime)
fs_file->meta->atime += sec_skew;
- if (fs_file->meta->ctime == 0)
+ if (fs_file->meta->ctime)
fs_file->meta->ctime += sec_skew;
- if (fs_file->meta->crtime == 0)
+ if (fs_file->meta->crtime)
fs_file->meta->crtime += sec_skew;

tsk_fprintf(hFile, "\nOriginal times:\n");
}


( and same for $FILE_NAME times)

I have just changed that part in ntfs.c on master branch and recompiled, then I copied the library to existing install and it works fine it seems.

I tried to identify when the problem started and I think it was between 3.2.3 and 4.0.0

version 3.2.3 is fine while 4.0.0 contains the problem mentioned.

I was using Kali 1.1.0a ( autopsy 2.24 and sleuthkit 4.1.3 by default) for the tests.


1. wget http://http.kali.org/kali/pool/main/s/s ... _amd64.deb
2. wget http://http.kali.org/kali/pool/main/s/s ... _amd64.deb
3. apt-get remove sleuthkit # autopsy will be removed as well.
4. apt-get remove libtsk10
5. dpkg -i libtsk3-3_3.2.3-2_amd64.deb
6. dpkg -i sleuthkit_3.2.3-2_amd64.deb
7. apt-get install autopsy

All good after this.
rmistero
 
Posts: 2
Joined: Wed Aug 19, 2015 10:07 pm


Return to The Sleuth Kit (TSK)

Who is online

Users browsing this forum: No registered users and 1 guest