A Lesson from our Cyber SIG: Anchor Relative Time (ART)

Anchor Relative Time

For the most part, we tend to accept what we see in digital evidence as being correct. Why, from a criminal investigative perspective, we have controls in place to prevent spoliation. In the civil world, this is more of a challenge since is the responsibility of the individual parties to turn over evidence as part of the discovery process. What if the digital evidence in your case was fabricated? How would you know? One way may be the use of $LogFile and $UsnJrnl as it pertains to Anchor Relative Time or (ART).

Developed by Mark Spencer of Arsenal Consulting, ART was effective used in a massive treason case in Turkey where hundreds of military officers, non-governmental organization personnel, and media were charged with attempting to over throw the ruling Turkish party.

What are some of the things that you do if you suspect that evidence may be manufactured, tampered with, or spoiled?

Examine file system date and time stamps
Examine file metadata and compare to file system date and time
Examine the Windows install date and time

We do this to see if anything is out of the ordinary.

Examine file system date and time stamps:

Note the file FNS03c_3-3using_Telnet.docx Created: 10/30/2014 11:14PM; Modified: 5/24/2016 11:36 AM; Accessed: 5/24/2016 11:37 AM.

Examining the metadata for FNS03c_3-3using_Telnet.docx within its Microsoft Word infrastructure reveals:

The document metadata is a bit different.What does this mean?The file was not created on this system, but was moved or copied to this system.

What if the metadata was intentionally altered to represent the file system date time in an effort to legitimize fabricated evidence.How would you tell?One check is to verify the operating install date on the computer.This can be found in Registry entry: \HKLM\SW\Microsoft\WindowsNT\CurrentVersion.Note that the UNIX time needs to be converted into people time.

So, 0x56deb76e== Tue, 08 Mar 2016 11:28:46 GMT.In the case above, the much later install date is the result of the automated Windows 10 update feature.

The Turkey Case

Operation Sledgehammer (Balyoz) was an alleged plot to overthrow the Turkish Justice and Development Party (AKP) by the secular run military.Evidence was originally uncovered by journalist Mehmet Baransu for the Islamist newspaper Taraf on 1/20/2010. Baransu said he had been passed documents detailing plans to bomb two Istanbul mosques and framing Greece of shooting down a Turkish plane over the Aegean Sea.The plan allegedly was to stir up chaos to justify a military coup.Virtually all of the evidence in this case was digital. Hundreds of military officers were arrested starting in February 2010, convicted, and spent over five years in prison before the case was overturned in 2016.

The evidence was digital and was created during the 2002/2003 time frame and found on drives seized by police. One hard drive (containing 66 documents) was found under the floor of the Military’s Counter Intel Unit.

In March 2011, NGO individuals and journalists were arrested as being involved in the plot.One NGO was Casdas Yasami Destekleme Dernegi (CYDD) a group that was formed to provide modern education to Muslim girls.Part of the allegation was that these girls were being placed near military installations to provide “support.”

Odatv is a secular news organization critical of the government (AKP).In 2011, Baris Pehlivan was arrested based on evidence obtained from his home and Odatv computer.

In 2012, Turkish defense attorneys find Arsenal Consulting, a Boston Based digital forensics company, and engages them to exam the evidence against the defendants.Defendants claim that the documents are fraudulent.The 1st go-round (shallow dive) does not reveal anything ordinary about the evidence which are Microsoft Word and Excel files.In other words, file system dates and times matched up with metadata dates and times.

The deep dive is where its gets interesting.Mark Spencer and his team, develop and employ the concept of Anchor Relative Time (ART), and as a result, are able to refute the digital evidence used by Turkish prosecutors.

So, what is ART?

ART is the process of identifying events in time that can be deemed reliable.These events can be internal to an operating system, like $LogFIle or $UsnJrnl, or they can be external, like the date and time that a computer was seized.These events are used as anchors, and questioned events (QE) are compared to see if these QE’s could have occurred.

An example of this analysis can be seen below from the CYDD hard drive seized on 4/13/2009[1]

$LogFile Date/Time (SI) $LogFile Action Path LSN

2009-04-10 20:48:12 (M) UpdateResidentValue …confi g\SysEvent.Evt 103773284

2009-04-10 20:48:17 (M) UpdateResidentValue …confi g\system 103782807

2009-04-10 20:48:17 (EM) SetNewAttributeSizes …confi g\system.LOG 103782964

Windows Shutting Down

$LogFile Date/Time (SI) $LogFile Action Path LSN

2009-03-17 18:15:41 (C) InitializeFileRecordSegment …_restore…4F39} 103816248

2009-03-17 18:15:41 (C) InitializeFileRecordSegment …_restore…4F39}\RP46 103816504

2009-03-22 09:31:46 (C) InitializeFileRecordSegment …4F39}\RP46\change.log 103816648

Creation of Foreign Restore Point

$LogFile Date/Time (SI) $LogFile Action Path LSN

2008-12-07 13:39:22 (C) InitializeFileRecordSegment …Türkan SAYLAN 3.doc 105364977

2008-12-25 23:42:23 (C) InitializeFileRecordSegment …MEKTUP(Türkan SAYLAN).doc105385237

2008-12-30 11:48:08 (C) InitializeFileRecordSegment …liste açıklma.docx 105734328

Creation of Critical Documents used by Prosecution

$LogFile Date/Time (SI) $LogFile Action Path LSN

N/A DeallocateFileRecordSegment …liste açıklma.docx 106290462

N/A DeallocateFileRecordSegment …Türkan SAYLAN 3.doc 106306537

N/A DeallocateFileRecordSegment …MEKTUP(Türkan SAYLAN).doc 106307207

Deletion of Critical Documents

The above is an excerpt of the computer’s $LogFile.In $LogFile, every record has a log sequence number (LSN) which is assigned sequentially independent of any date/time stamping.The first three entries identify the Windows shutting down on April 10, 2009 with LSN’s 103773284. 103782807, and 103782964.

The next entries show the creation of a foreign restore point for this device on March 17, 2009.But wait, the LSN’s for these events are: 103816248, 103816504, and 103816648.How can this be?The LSN’s here are greater than the Windows shutdown LSN’s, but show an earlier time.

Next, we have the creation of evidentiary documents (Word files) on December 7-30, 2008 with LSN’s 105364977, 105385237, and 105734328.How can this be?

Lastly, we have the deletion of the evidentiary files with LSN’s 106290462, 106306537, and 106307207.

As can be seen, all of the evidentiary documents were placed on this system after the Windows had shut down.The only way this could have happened was intentional evidence manipulation.The LSN’s don’t lie, but the date and time stamps do.

In the example above, the anchor is the Windows shutdown and its corresponding LSN’s.

This analysis was subsequently peer reviewed and confirmed resulting in the defendants being released.

If you wish to no more about this case you can go to:

Digital Forensics Magazine:

Issue 18: February 2014 – Beyond Timelines Anchors in Relative Time – Mark Spencer

Issue 27: May 2016 – Applying Anchors in Relative Time - Mark Spencer