Forensics - Mac times 101

One of the foundations in forensics is the collection of mac times. Mac times are part of file system metadata. They refer to the modified,access,changed (or created) time triplet every file has in file systems such as FAT, NTFS and ext3. An intro on mac times can be found here.

How do they work? Let's see an example in an ext3 linux-based file system. Similar learnings can be applied on other file systems.

Before starting, we install the mactime command-line application. It is part of The Coroner's Toolkit (forensic utilities).

user@machine:/tmp$ sudo apt-get install tct

We check that the mactime functionality is installed by simply invoking man:

user@machine:~$ man mactime

We start by creating a directory called mactests in /tmp where we will do our tests:

user@machine:/tmp$ mkdir mactests
user@machine:/tmp$ cd mactests

mactime test 1 - creating a file with touch

We touch a file in this testing directory and we run mactime (-y to have the year first in every line, -d to tell the directory and we need to add a date after 1/1/1970). For aesthetic purposes we add grep -v to get rid of two tmp file lines created by the mactime utility itself.

user@machine:/tmp/mactests$ touch file01
user@machine:/tmp/mactests$ mactime -y -d /tmp/mactests/ 1/2/1970 | grep -v mactime
09 Apr 10 13:37:39 0 mac -rw-r--r-- user user /tmp/mactests/file01


-> Result 1: Creating a file modifies all three times (that is why the three letters, mac, appear on the result line).

mactime test 2 - modifying a file by adding text

user@machine:/tmp/mactests$ cat /etc/resolv.conf > file01
user@machine:/tmp/mactests$ mactime -y -d /tmp/mactests/ 1/2/1970 | grep -v mactime

09 Apr 10 13:37:39 45 .a. -rw-r--r-- user user /tmp/mactests/file01
09 Apr 10 14:00:46 45 m.c -rw-r--r-- user user /tmp/mactests/file01


-> Result 2: Adding text to a file modifies two times, m and c.

mactime test 3 - changing file rights

user@machine:/tmp/mactests$ chmod u+x file01
user@machine:/tmp/mactests$ mactime -y -d /tmp/mactests/ 1/2/1970 | grep -v mactime
09 Apr 10 13:37:39 45 .a. -rwxr--r-- user user /tmp/mactests/file01
09 Apr 10 14:00:46 45 m.. -rwxr--r-- user user /tmp/mactests/file01
09 Apr 10 14:04:13 45 ..c -rwxr--r-- user user /tmp/mactests/file01

-> Result 3: Changing file rights modifies c time only.

mactime test 4 - editing a file

user@machine:/tmp/mactests$ vi file01
user@machine:/tmp/mactests$ mactime -y -d /tmp/mactests/ 1/2/1970 | grep -v mactime
09 Apr 10 16:04:44 105 .a. -rwxr--r-- user user /tmp/mactests/file01
09 Apr 10 16:05:16 105 m.c -rwxr--r-- user user /tmp/mactests/file01



-> Result 4: Editing a file modifies two times, m and c - This is similar to test 1. We just write this here to show how mac times ONLY keep the latest time (see e.g. how creation time is lost from the mac times the first time the file is edited).

mactime test 5 - what happens when a file is copied?

user@machine:/tmp/mactests$ cp file01 file02
user@machine:/tmp/mactests$ mactime -y -d /tmp/mactests/ 1/2/1970 | grep -v mactime
09 Apr 10 16:05:16 105 m.c -rwxr--r-- user user /tmp/mactests/file01
09 Apr 10 16:10:18 105 .a. -rwxr--r-- user user /tmp/mactests/file01
105 mac -rwxr--r-- user user /tmp/mactests/file02


-> Result 5: Copying a file means that source file changes its access time and destination file modifies all its three mac times.

mactime test 6 - compressing files

user@machine:/tmp/mactests$ touch file03
user@machine:/tmp/mactests$ tar -cvf file.tar *
file01
file02
file03
user@machine:/tmp/mactests$ mactime -y -d /tmp/mactests/ 1/2/1970 | grep -v mactime
09 Apr 10 16:19:55 0 mac -rw-r--r-- user user /tmp/mactests/file03
09 Apr 10 17:52:57 4130 m.c -rwxr--r-- user user /tmp/mactests/file01
09 Apr 10 17:53:07 2598 m.c -rwxr--r-- user user /tmp/mactests/file02
09 Apr 10 17:53:17 10240 mac -rw-r--r-- user user /tmp/mactests/file.tar
4130 .a. -rwxr--r-- user user /tmp/mactests/file01
2598 .a. -rwxr--r-- user user /tmp/mactests/file02


-> Result 6: Compressing files, all three mac times of the .tar compressed file are modified (exactly as when creating a new file). Accessed files modify their access time only if their modification time has been changed after they were last accessed (this has to do to the way working memory is handled - this is the reason why file01 and file02 access times appear modified and it is not the case for the just created file03).

mactime test 7 - uncompressing files

user@machine:/tmp/mactests$ mkdir untar
user@machine:/tmp/mactests$ cd untar/
user@machine:/tmp/mactests/untar$ tar -xvf ../file.tar
file01
file02
file03
user@machine:/tmp/mactests/untar$ mactime -y -d /tmp/mactests/untar/ 1/2/1970 | grep -v mactime
09 Apr 10 16:19:55 0 m.. -rw-r--r-- user user /tmp/mactests/untar/file03
09 Apr 10 17:52:57 4130 m.. -rwxr--r-- user user /tmp/mactests/untar/file01
09 Apr 10 17:53:07 2598 m.. -rwxr--r-- user user /tmp/mactests/untar/file02
09 Apr 11 13:50:09 4130 .ac -rwxr--r-- user user /tmp/mactests/untar/file01
0 .ac -rw-r--r-- user user /tmp/mactests/untar/file03
2598 .ac -rwxr--r-- user user /tmp/mactests/untar/file02


-> Result 7: Uncompressing files,access and change times are modified when uncompressed, however modification times remain untouched (this is one of the reasons why you can find files with a modification time earlier than their access and change time).

mactime test 8 - what about directories

user@machine:/tmp/mactests$ mactime -y -d /tmp/mactests/ 1/2/1970 | grep -v mactime
09 Apr 10 16:19:55 0 mac -rw-r--r-- user user /tmp/mactests/file03
09 Apr 10 17:52:57 4130 m.c -rwxr--r-- user user /tmp/mactests/file01
09 Apr 10 17:53:07 2598 m.c -rwxr--r-- user user /tmp/mactests/file02
09 Apr 10 17:53:17 10240 m.c -rw-r--r-- user user /tmp/mactests/file.tar
4130 .a. -rwxr--r-- user user /tmp/mactests/file01
2598 .a. -rwxr--r-- user user /tmp/mactests/file02
09 Apr 11 13:50:09 10240 .a. -rw-r--r-- user user /tmp/mactests/file.tar
09 Apr 11 13:50:23 4096 mac drwxr-xr-x user user /tmp/mactests/untar
user@machine:/tmp/mactests$ cd untar/
user@machine:/tmp/mactests/untar$ touch newfile04
user@machine:/tmp/mactests/untar$ cd ..
user@machine:/tmp/mactests$ mactime -y -d /tmp/mactests/ 1/2/1970 | grep -v mactime
09 Apr 10 16:19:55 0 mac -rw-r--r-- user user /tmp/mactests/file03
09 Apr 10 17:52:57 4130 m.c -rwxr--r-- user user /tmp/mactests/file01
09 Apr 10 17:53:07 2598 m.c -rwxr--r-- user user /tmp/mactests/file02
09 Apr 10 17:53:17 10240 m.c -rw-r--r-- user user /tmp/mactests/file.tar
4130 .a. -rwxr--r-- user user /tmp/mactests/file01
2598 .a. -rwxr--r-- user user /tmp/mactests/file02
09 Apr 11 13:50:09 10240 .a. -rw-r--r-- user user /tmp/mactests/file.tar
09 Apr 11 13:50:23 4096 .a. drwxr-xr-x user user /tmp/mactests/untar
09 Apr 11 13:55:46 4096 m.c drwxr-xr-x user user /tmp/mactests/untar


-> Result 8: When a directory is created, its mac times change. When a new file is added to a directory, the directory modification and access times also change.

Remember in any forensic investigation that mac times ONLY keep the latest time the file was modified, accessed or (metadata) changed.

As a final point, files in ext3 file system change m and c times when they are deleted. NTFS, however, does not.



This post is only the gate to understand mac times and the information they provide. You can find more information on this topic on the SANS forensics site

0 comments: