© 2019 InfraGard National Capital Region Members Alliance.  

WARRANTY DISCLAIMER  The FBI, InfraGard, and its affiliates provide information, including but not limited to software, documentation, training, and other guidance to be known as “materials.” The materials are provided as-is and we expressly disclaim any and all warranties, express or implied, including, and without limitation, the implied warranties of merchantability, fitness for a particular purpose, non-infringement, quiet enjoyment, and integration, and warranties arising out of course of dealing or usage of trade. You agree that, as between you and the FBI, InfraGard, and its affiliates, you are responsible for the outcome of the use of materials made available, including but not limited to adherence to licensing requirements, and taking legal and regulatory considerations into account. There is no guarantee of accuracy, completeness, timeliness, or correct sequencing of the information provided.

OFFICIAL LINKS

  • White LinkedIn Icon
  • Facebook Clean
  • Twitter Clean
Please reload

Recent Posts

I'm busy working on my blog posts. Watch this space!

Please reload

Featured Posts

A Lesson from our Cyber SIG: Anchor Relative Time (ART)

June 13, 2016

Anchor Relative Time

 

For the most part, we tend to accept what we see in digital evidence as being correct.   Why, from a criminal investigative perspective, we have controls in place to prevent spoliation.    In the civil world, this is more of a challenge since is the responsibility of the individual parties to turn over evidence as part of the discovery process.  What if the digital evidence in your case was fabricated?  How would you know?  One way may be the use of $LogFile and $UsnJrnl as it pertains to Anchor Relative Time or (ART). 

 

Developed by Mark Spencer of Arsenal Consulting, ART was effective used in a massive treason case in Turkey where hundreds of military officers, non-governmental organization personnel, and media were charged with attempting to over throw the ruling Turkish party. 

 

What are some of the things that you do if you suspect that evidence may be manufactured, tampered with, or spoiled?

 

  • Examine file system date and time stamps

  • Examine file metadata and compare to file system date and time

  • Examine the Windows install date and time

 

We do this to see if anything is out of the ordinary. 

Examine file system date and time stamps:

 

Note the file FNS03c_3-3using_Telnet.docx Created: 10/30/2014 11:14PM; Modified: 5/24/2016 11:36 AM; Accessed: 5/24/2016 11:37 AM.

Examining the metadata for FNS03c_3-3using_Telnet.docx within its Microsoft Word infrastructure reveals:

 

 

 

The document metadata is a bit different.What does this mean?The file was not created on this system, but was moved or copied to this system.

 

What if the metadata was intentionally altered to represent the file system date time in an effort to legitimize fabricated evidence.How would you tell?One check is to verify the operating install date on the computer.This can be found in Registry entry: \HKLM\SW\Microsoft\WindowsNT\CurrentVersion.Note that the UNIX time needs to be converted into people time.

 

 

So, 0x56deb76e== Tue, 08 Mar 2016 11:28:46 GMT.In the case above, the much later install date is the result of the automated Windows 10 update feature.

 

The Turkey Case

 

Operation Sledgehammer (Balyoz) was an alleged plot to overthrow the Turkish Justice and Development Party (AKP) by the secular run military.Evidence was originally uncovered by journalist Mehmet Baransu for the Islamist newspaper Taraf on 1/20/2010. Baransu said he had been passed documents detailing plans to bomb two Istanbul mosques and framing Greece of shooting down a Turkish plane over the Aegean Sea.The plan allegedly was to stir up chaos to justify a military coup.Virtually all of the evidence in this case was digital. Hundreds of military officers were arrested starting in February 2010, convicted, and spent over five years in prison before the case was overturned in 2016.

 

The evidence was digital and was created during the 2002/2003 time frame and found on drives seized by police. One hard drive (containing 66 documents) was found under the floor of the Military’s Counter Intel Unit.

 

In March 2011, NGO individuals and journalists were arrested as being involved in the plot.One NGO was Casdas Yasami Destekleme Dernegi (CYDD) a group that was formed to provide modern education to Muslim girls.Part of the allegation was that these girls were being placed near military installations to provide “support.”

 

Odatv is a secular news organization critical of the government (AKP).In 2011, Baris Pehlivan was arrested based on evidence obtained from his home and Odatv computer.

 

In 2012, Turkish defense attorneys find Arsenal Consulting, a Boston Based digital forensics company, and engages them to exam the evidence against the defendants.Defendants claim that the documents are fraudulent.The 1st go-round (shallow dive) does not reveal anything ordinary about the evidence which are Microsoft Word and Excel files.In other words, file system dates and times matched up with metadata dates and times.

 

The deep dive is where its gets interesting.Mark Spencer and his team, develop and employ the concept of Anchor Relative Time (ART), and as a result, are able to refute the digital evidence used by Turkish prosecutors.

 

So, what is ART?

 

ART is the process of identifying events in time that can be deemed reliable.These events can be internal to an operating system, like $LogFIle or $UsnJrnl, or they can be external, like the date and time that a computer was seized.These events are used as anchors, and questioned events (QE) are compared to see if these QE’s could have occurred.

 

An example of this analysis can be seen below from the CYDD hard drive seized on 4/13/2009[1]

 

 

$LogFile Date/Time (SI)              $LogFile Action                              Path                       LSN

2009-04-10 20:48:12 (M)  UpdateResidentValue      …confi g\SysEvent.Evt                            103773284

2009-04-10 20:48:17 (M)  UpdateResidentValue      …confi g\system                                                 103782807

2009-04-10 20:48:17 (EM) SetNewAttributeSizes     …confi g\system.LOG                              103782964

            Windows Shutting Down

$LogFile Date/Time (SI)             $LogFile  Action                              Path                                   LSN

2009-03-17 18:15:41 (C)  InitializeFileRecordSegment         …_restore…4F39}                      103816248

2009-03-17 18:15:41 (C)  InitializeFileRecordSegment         …_restore…4F39}\RP46              103816504

2009-03-22 09:31:46 (C)  InitializeFileRecordSegment         …4F39}\RP46\change.log            103816648

            Creation of Foreign Restore Point

$LogFile Date/Time (SI)              $LogFile Action                              Path                       LSN

2008-12-07 13:39:22 (C)  InitializeFileRecordSegment         …Türkan SAYLAN 3.doc            105364977

2008-12-25 23:42:23 (C)  InitializeFileRecordSegment         …MEKTUP(Türkan SAYLAN).doc105385237

2008-12-30 11:48:08 (C)  InitializeFileRecordSegment         …liste açıklma.docx                        105734328

            Creation of Critical Documents used by Prosecution

$LogFile Date/Time (SI)              $LogFile Action                              Path                       LSN

N/A                  DeallocateFileRecordSegment       …liste açıklma.docx                                106290462

N/A                   DeallocateFileRecordSegment       …Türkan SAYLAN 3.doc                        106306537

N/A                   DeallocateFileRecordSegment       …MEKTUP(Türkan SAYLAN).doc           106307207

            Deletion of Critical Documents

 

 

 

 

 

The above is an excerpt of the computer’s $LogFile.In $LogFile, every record has a log sequence number (LSN) which is assigned sequentially independent of any date/time stamping.The first three entries identify the Windows shutting down on April 10, 2009 with LSN’s 103773284. 103782807, and 103782964.

 

The next entries show the creation of a foreign restore point for this device on March 17, 2009.But wait, the LSN’s for these events are: 103816248, 103816504, and 103816648.How can this be?The LSN’s here are greater than the Windows shutdown LSN’s, but show an earlier time.

 

Next, we have the creation of evidentiary documents (Word files) on December 7-30, 2008 with LSN’s 105364977, 105385237, and 105734328.How can this be?

 

Lastly, we have the deletion of the evidentiary files with LSN’s 106290462, 106306537, and 106307207.

 

As can be seen, all of the evidentiary documents were placed on this system after the Windows had shut down.The only way this could have happened was intentional evidence manipulation.The LSN’s don’t lie, but the date and time stamps do.

 

In the example above, the anchor is the Windows shutdown and its corresponding LSN’s.

 

This analysis was subsequently peer reviewed and confirmed resulting in the defendants being released.

 

If you wish to no more about this case you can go to:

 

Digital Forensics Magazine:

                  Issue 18: February 2014 – Beyond Timelines Anchors in Relative Time – Mark Spencer

                  Issue 27: May 2016 – Applying Anchors in Relative Time - Mark Spencer

 

 

 

 

 

 

 

 

 

[1] https://arsenalexperts.com/Arsenal-News-and-Events/BeyondTimelines-DFMPromotional-FullSize.pdf

Tags:

Please reload

Follow Us
Please reload

Search By Tags