Changing Time

When it comes to reconstructing what has been happening on a system, time is very important. The ability to construct a consistent linear time line is paramount to understanding the sequence of events that occurred on the system. If the time on the system is inconsistent, it increases the complexity of this analysis. The inability to build a creditable time line can greatly reduce the ability to prosecute the case. The inconsistencies in time reduce credibility and confuse juries. Therefore, if a hacker changes the time of the system, or timestamps in logs or timestamps of files, he can create a great barrier to the system administrators in their attempts to track down the hacker at work.

If a system is auditing or running sufficient logging, the system manager will be able to reconstruct this type of tampering. However, the process is time-consuming .

System Time

Every computer system and most network devices have a locally stored time. This time is used whenever the system needs to know the time for timestamps, or logging. On any single system, time is consistent unless the system clock is changed, and this activity, which requires specific privileges, will be reported and logged. However, when logs from multiple systems are compared or consolidated, then the differences in the system clocks of those systems are an issue. The timestamps in the logs from each system are different. This leads to increasing the work in being able to reliably reconstruct a time line of the hacking activities. The clocks on systems on a network should be synchronized. A system should use an auditable time service to set all the clocks to the same time.

Timestamps on Files

Every file has three timestamps: creation time, last access time, and last modified time. Anyone with permission can alter the timestamp on a file with the touch command or programmatically. Hackers will often change the timestamps on files to make tracking their activities more difficult and to help disguise what files have been altered .

There may be certain files for which altering their timestamps may affect the operation of the system. For example, some systems use the timestamp of a specific file to indicate the time of the last backup, which is compared to the timestamps of all the files on the system when an incremental backup is performed. Altering this timestamp will alter what files are backed up. A hacker may do this to keep his activities from being recorded on a backup.

Time Zone

The time zone variable is an environment variable and is used by some programs to display and calculate the time. E-mail is the most prevalent of these programs. The e-mail client sending the mail will timestamp the time which it is sent. A system with an incorrect or altered clock will misreport the time when the mail was sent.

The format of the time zone variable is three or more characters that designate the standard time zone, followed by a numeric offset that must be added to the local time to arrive at Coordinated Universal Time, followed by three or more characters that designate the summer or daylight -savings time zone. For example, the Pacific Time zone would be represented by "PST8PDT."

If a hacker resets this variable so that the time zone designations do not correspond to the same time zone as the offset listed, such as "EST8EDT," it can cause the calculated time and the displayed time to differ . He can utilize this fact to make it appear as if something happened at a different time than it actually did.