>> We have talked about MACTIMEs in previous lessons.
>>我们在之前的课程中已经讨论过MACTIMEs。
In Linux/Unix file systems, MACTIMEs are the timestamp of the latest modification, access,
and changing of inode content of a certain file.
在Linux/Unix文件系统中,MACTIMEs是某个文件的inode内容的最新修改、访问和更改的时间戳。
More specifically, M means the last time the file's data block was changed.
更具体地说,M表示最后一次更改文件的数据块。
A is the last time the file's data block was accessed.
A是最后一次访问文件的数据块。
C records the last time the file's inode content was changed.
C记录文件的inode内容最后一次更改的时间。
Remember, in Windows, C means a file's creation time.
记住,在Windows中,C表示文件的创建时间。
Please be aware that the keyword last, if you modify a file several times,
MACTIME will only show the last time the file was written or accessed.
请注意关键字last,如果您多次修改一个文件,MACTIME只会显示上一次写入或访问该文件的时间。
In digital forensic analysis, we use MACTIMEs to create a timeline of activities.
在数字取证分析中,我们使用MACTIMEs创建活动时间表。
Timeline analysis helps us reconstruct data to identify when activities occurred
on a computer and in what sequence.
时间轴分析帮助我们重建数据,以确定活动何时在计算机上发生以及以何种顺序发生。
For example, a root kit installation leaves a number of files with time stamps very close
to one another; however, MACTIMEs can be easily changed by attackers.
例如,根工具包的安装会留下一些时间戳非常接近的文件;然而,攻击者可以很容易地更改MACTIMEs。
The Linux/Unix command touch is able to change both access and modification times.
Linux/Unix命令touch可以更改访问和修改时间。
A free utility in Windows system called timestamp will change all three timestamps
in Windows files system.
Windows系统中一个名为timestamp的免费实用程序将更改Windows文件系统中的所有三个时间戳。
MACTIMEs are sensitive to change within the system.
mactime对系统内的更改非常敏感。
Running a single command, for example, copy will change the last access time of a file;
therefore, you should always grab MACTIME's information before running other commands
on a system.
例如,运行单个命令时,copy将更改文件的最后访问时间;因此,在系统上运行其他命令之前,应该始终先获取MACTIME的信息。
Next let's look at utilities that create MACTIME lines for us.
接下来让我们看看为我们创建MACTIME线的实用程序。
MACTIME from Sleuthkit takes a data file as input and sorts the data to create a timeline.
Sleuthkit的MACTIME将数据文件作为输入,并对数据进行排序以创建时间轴。
In general, creating a timeline takes two steps.
通常,创建时间轴需要两个步骤。
First, you should generate a data file as an input for MACTIME.
首先,您应该生成一个数据文件作为MACTIME的输入。
The data file contains timestamps, file name, and other information.
数据文件包含时间戳、文件名和其他信息。
For example, both FLS and ILS can create such a data file, use -m option.
例如,FLS和ILS都可以创建这样的数据文件,使用-m选项。
In an FLS command, the option -r is recursive; -m/ instructs FLS to display output
in a MACTIME input format with slash as the mount point of the image.
在FLS命令中,选项-r是递归的;指示FLS以MACTIME输入格式显示输出,以斜线作为图像的挂载点。
In ILS command, we use -m without slash since the output
from ILS does not have file name information.
在盲降命令中,我们使用-m不带斜杠,因为盲降的输出没有文件名信息。
Once we have the data file, we can run MACTIME to sort the files
to create a timeline, focusing on dates and times.
一旦我们有了数据文件,我们就可以运行MACTIME来对文件进行排序,创建一个时间轴,重点是日期和时间。
If you are only interested in a certain time range of timelines,
MACTIME will only display the files with MACTIME lines in the specified time range.
如果您只对时间线的某个时间范围感兴趣,MACTIME将只显示在指定时间范围内具有MACTIME线的文件。
A timeline produced by MACTIME looks like this.
MACTIME生成的时间轴是这样的。
MACTIME sorts files based on date and time.
MACTIME根据日期和时间对文件进行排序。
It starts by the day, in our case Saturday; followed by month, date, year,
and the time in hours, minutes, and seconds.
它从白天开始,在我们的情况下是星期六;然后是月份、日期、年份和时间(以小时、分钟和秒为单位)。
The next field is the file size, followed by a combination of three characters --
M, A, and C -- followed by permissions, UID, GID, and a file name.
下一个字段是文件大小,然后是三个字符(M、a和C)的组合,然后是权限、UID、GID和文件名。
When looking at the character after the file size, A indicates that the displayed date
and the time is the last access time.
当查看文件大小之后的字符时,A表示显示的日期和时间是最后一次访问时间。
M indicates that displayed date time is the last modification time.
M表示显示的日期时间是最后一次修改时间。
C indicates the last inode changing time.
C表示最后一个inode更改时间。
Dot A dot means the timestamp is only for A time
and that the same file was last modified and changed at a later time.
点A表示时间戳只存在一段时间,同一文件最后一次被修改和更改是在稍后的时间。
In our example, file A was last accessed at sixteen forty twenty;
it was last modified at sixteen forty-five fifty-six.
在我们的示例中,文件A最后一次被访问是在16420;最后一次修改是在164556。
Its inode content was changed also at sixteen forty-five fifty-six.
其inode的含量也在1645 - 56发生了变化。
If the A time, M time, and C time's last changed time are all the same,
you will see MAC together.
如果A时间、M时间和C时间最后一次更改的时间相同,您将看到MAC在一起。
In our example file B's MACTIMEs were last changed on Saturday, December 12,
2016 at sixteen forty-five fifty-six.
在我们的示例文件中,B的MACTIMEs最后一次更改是在2016年12月12日,星期六,16 45 56。
When you create a new file, you should always see the MAC combination.
在创建新文件时,应该始终看到MAC组合。
You should also notice from the timeline that many files have the last MAC timestamps
at the time of sixteen forty twenty-three -- that means some activity such as downloading
or compiling occurred during that time since a human is not able to change
that many files within one second.
您还应该从时间轴中注意到,许多文件在16423时具有最后一个MAC时间戳——这意味着在此期间发生了一些活动,例如下载或编译,因为人类无法在一秒钟内更改那么多文件。
A forensic investigator will always look closely into these kind of gaps.
法医调查人员总是会密切关注这类漏洞。
If we create data files using ILS or FLS,
deleted files are also included in the data files.
如果我们使用盲降或FLS创建数据文件,被删除的文件也包括在数据文件中。
Here is an example of timelines created from FLS and MACTIME.
下面是一个由FLS和MACTIME创建的时间线示例。
Each entry from that list contains timestamps, metatime information, and also file names.
列表中的每个条目都包含时间戳、元atime信息和文件名。
Please be aware that the timelines created from ILS
and MACTIME will not have the file name information.
请注意,从盲降和MACTIME创建的时间轴将没有文件名信息。
In some entries you will see that deleted
or deleted reallocate was presented after the file name.
在某些条目中,您将看到在文件名之后显示了已删除或已删除的重新分配。
Deleted at the end indicates the file entry is a deleted file; therefore,
its content may be recoverable if the data blocks have not yet been overwritten.
最后删除表示该文件项为已删除文件;因此,如果还没有覆盖数据块,它的内容可能是可恢复的。
Deleted reallocate indicates that the file's inode has already been assigned
to another file even though its file name and inode mapping has not yet been overwritten.
已删除的重新分配指示文件的inode已经被分配给另一个文件,即使它的文件名和inode映射还没有被覆盖。
In our example, we know that there is a file called file1.
在我们的示例中,我们知道有一个名为file1的文件。
Its metadata has been overwritten.
它的元数据已被覆盖。
And we do not know where its data blocks are located
and whether the data block has been overwritten.
我们不知道它的数据块在哪里,是否覆盖了数据块。
The third file is a normal file entry just like you normally see from ls-l output.
第三个文件是一个普通的文件条目,就像您通常从ls-l输出中看到的那样。
MAC Time Demo
>> We have learned in this unit that MAC times are the timestamps
of the latest modification, access, and INODE changing time.
在本单元中,我们了解到MAC时间是最新修改、访问和INODE更改时间的时间戳。
In first part of this demo, let's look at what actions will make MAC times change.
在本演示的第一部分中,让我们看看哪些操作将使MAC times发生变化。
And then in the second part of this demo-- and I will use Sleuth Kit MAC time command
to create the timeline of a file.
然后在这个演示的第二部分——我将使用Sleuth Kit MAC time命令创建一个文件的时间轴。
So, first, let's look into the MAC time.
首先,让我们看看MAC时代。
Now, I'm inside of a temp directory, currently has nothing in the temp directory
and let me create a file and I can use touch to create a file.
现在,我在一个临时目录中,目前在临时目录中什么都没有,让我创建一个文件,我可以使用触摸来创建一个文件。
Now, touch is an interesting command.
触摸是一个有趣的命令。
OK? If my file is a new file, if you touch it, it will create it
and with all the timestamps be the-- what the time--
the time when we-- I run this touch command.
好吗?如果我的文件是一个新文件,如果你触摸它,它会创建它所有的时间戳是什么时间,我们运行这个触摸命令的时间。
If I touch an existing file and I will not change any of the existing file's content,
but that file's modification and access time change to the current time.
如果我触摸一个现有的文件,我不会改变任何现有文件的内容,但该文件的修改和访问时间更改为当前时间。
Since my file is new, so we should now see it.
因为我的文件是新的,所以我们现在应该看到它。
It's created.
这是创建。
Size is zero because touch does not really modify-- not touch upon the content.
大小为零是因为触摸不会真正修改——不会触摸内容。
So, for this one, the timestamp for LS list one of the timestamp by default.
对于这个,LS的时间戳默认列出一个时间戳。
By default is MAC time and then you can use LS--
you can use LS which was the other option to list the access time and changing time.
默认情况下是MAC时间,然后你可以使用LS——你可以使用LS这是另一个选项,列出访问时间和更改时间。
But here I use stat.
但这里我用的是stat。
OK. Use stat to show you all of the timestamps.
好的。使用stat显示所有时间戳。
And normally I say there's three timestamps, sometimes they also add the fourth one, born.
通常我说有三个时间戳,有时还会加上第四个,born。
When was the file created?
文件是什么时候创建的?
OK. In Windows case, we will often see there's four timestamps.
好的。在Windows情况下,我们经常看到有四个时间戳。
I will talk about that later.
我待会再谈。
So, here both access time, modification time, change time, they are all same as this.
这里的访问时间,修改时间,改变时间,都是一样的。
The current time.
当前时间。
OK. Now, I-- if I say more, my file, and we wait for a couple seconds because I want
to see what-- second-- after a couple seconds and which timestamps change.
好的。现在,如果我说更多,我的文件,我们等几秒钟,因为我想知道几秒钟后,什么,秒,什么时间戳改变了。
OK. That should be enough.
好的。这应该足够了。
If I do more, so to read this file content, all right, to read this file content,
see whether I can change anything,
but now currently I don't have anything to read, but anyway I do more.
如果我做的更多,读取这个文件内容,好吧,读取这个文件内容,看看我是否可以改变什么,但是现在我没有什么可读的了,但是无论如何我做的更多。
My file. Certainly, the content has nothing, but now if we do stat again,
let's compare the stat with the previous case.
我的文件。当然,内容没有任何内容,但是现在如果我们再次使用stat,让我们将stat与前一种情况进行比较。
All right.
So, the access time changed now.
所以,访问时间现在改变了。
The access time now is 43:21 and all the other ones, the modification time
and then the changing time remained the same.
现在的访问时间是43:21,其他的都是一样的,修改时间和修改时间都是一样的。
Remained the same.
仍然是一样的。
OK? So, those did not change.
好吗?这些都没有改变。
So, if you read a file without modify anything and only the access time changed.
因此,如果您读取一个文件而不修改任何东西,并且只更改了访问时间。
Only the access time changed.
只有访问时间改变了。
Now let's do modified content.
现在我们来修改内容。
OK. I'm going to do it in a lazy way and I say echo hello and append-- oops, not too many.
好的。我将以一种懒惰的方式来做我说echo hello,然后追加——哦,不是很多。
Append that to my file.
把它加到我的文件里。
So, I modified the content.
所以,我修改了内容。
Now, original does nothing that current now.
现在,original没有做任何现在的。
If you look into that, I cannot do more because it will change timestamp.
如果您深入研究这个问题,我就不能做更多了,因为它将更改时间戳。
So, now I did-- only did one action.
现在我只做了一个动作。
I said modify the content.
我说修改内容。
Let's do a stat again.
我们再做一个统计。
Now, in this case, the access time remained the same.
现在,在这种情况下,访问时间保持不变。
Remained the same as previous one when we did more.
当我们做的更多的时候,保持和以前一样。
OK? And then this-- the changing time
and the modification time changed after I do changing the content.
好吗?然后这个,改变时间和修改时间在我改变内容之后改变了。
OK? So, that's how-- you can try all that at home to find
out which action really changed which timestamp.
好吗?所以,这就是——你可以在家里尝试所有这些来找出哪个动作真正改变了哪个时间戳。
All right?
And then how about I use touch?
那我用触摸呢?
If I use touch to the existing file, it will change two timestamps.
如果对现有文件使用touch,它将更改两个时间戳。
One is the modification and one is the access.
一个是修改,一个是访问。
All right?
Those timestamps can be changed.
这些时间戳可以更改。
If you don't specify any data format, then it will change to current time,
but then attacker said I want to change to whatever the date time I want because they want
to change-- go back to the date time to hide information.
如果您不指定任何数据格式,那么它将更改为当前时间,但是攻击者说我想更改为我想更改的任何日期时间,因为他们想更改——返回日期时间以隐藏信息。
To pretend this file has never been changed.
假装这个文件从未被更改。
So, we know if you touch a file, existing file,
you will change the timestamp to be the current time.
所以,我们知道如果你触摸一个文件,现有的文件,你会将时间戳更改为当前时间。
For example, if I touch my file again and I do stat my file,
then all the timestamps will change to the current time.
例如,如果我再次触摸文件并统计文件,那么所有时间戳将更改为当前时间。
Now, if attacker want to modify intentionally for a given timestamp, whether they can do that.
现在,如果攻击者希望针对给定的时间戳进行有意修改,他们是否可以这样做。
Now, the best way is you use the main page.
现在,最好的方法是使用主页。
Main. Touch to learn what is-- if commands the function.
主要。触摸来学习什么是——if命令的功能。
Each function actually-- they do provide main instructions.
每个函数都提供了主要的指令。
So, it tells you what is the touch and what are the options.
它会告诉你什么是触摸,有哪些选项。
If you look into that, you can change the access time, use dash A. So,
if I only want to change the access time, then you change dash A
and then you can also change the-- dash M is the modification time.
如果你仔细看,你可以改变访问时间,用破折号A,所以,如果我只想改变访问时间,那么你可以改变破折号A,然后你也可以改变——破折号M是修改时间。
OK? Dash M change only the modification time.
好吗?Dash只改变修改时间。
Touch does not allow you to change the changing time by providing a certain time,
so you can only intentionally change access time and the modification time.
Touch不允许你通过提供一定的时间来改变改变时间,所以你只能故意改变访问时间和修改时间。
You can even give out certain data format for the date and time you want to change.
您甚至可以给出您想要更改的日期和时间的特定数据格式。
All right.
Let's quit and come back to the touch command.
让我们退出,回到触摸命令。
Now, if we do touch, we only want to change access time.
现在,如果我们做触摸,我们只想改变访问时间。
OK. And we want the time-- the date time looks like going back.
好的。我们想要时间,日期时间看起来像往回走。
That's today, 17.
January 31st.
1月31日。
At certain time.
在特定的时间。
Whatever I make up.
不管我编什么。
OK? Certain time.
好吗?特定的时间。
And to make this change for my file.
并为我的文件做这个更改。
Now, if you do the stat again, you will see the access time intentionally changed.
现在,如果您再次执行此统计,您将看到访问时间有意更改。
Changed to the time I specified in the command.
更改为我在命令中指定的时间。
And you can do that for dash M, modification time, as well.
你也可以对dash M,修改时间做这个。
But you cannot intentionally change the changing time.
但是你不能故意改变改变的时间。
OK. So, that's the first part.
好的。这是第一部分。
And then next part-- let's get back to MAC time.
下一部分,我们回到MAC时间。
So, in the previous video demo, I create-- use FLS and ILS created two bodies
and when we run FLS and ILS and I intentionally use the dash M option,
which it says to create a body file for MAC time.
在之前的视频演示中,我用FLS和ILS创建了两个主体当我们运行FLS和ILS时,我故意用了dash M选项,它说要为MAC时间创建一个主体文件。
So, MAC time has to rely on a body file and it only sorts the body file to--
based on the times-- based on the time, that's why it's called the time-- back times.
MAC时间依赖于一个body文件,它只根据时间对body文件进行排序,这就是为什么它叫time, back time。
So, if you look at my desktop here, I have two files.
看看我的桌面,我有两个文件。
This file I created use FLS and ILS.
我用FLS和ILS创建了这个文件。
If you forgot how do I did-- how did I get those files,
you can go back to the Sleuth Kit command line demo to find out how did I get those two files.
如果你忘记了我是怎么得到这些文件的,你可以回到Sleuth Kit命令行演示中来看看我是怎么得到这两个文件的。
I will not repeat the process here.
我不会在这里重复这个过程。
So, now with those two files here, it is very easy for me to use the MAC time.
所以,现在有了这两个文件,我很容易使用MAC时间。
To use MAC time to sort this file.
要使用MAC时间对该文件进行排序。
OK. So, the command I run is MAC time and, once again,
if you don't know how this MAC time work, do a main MAC time.
好的。所以,我运行的命令是MAC time,如果你不知道这个MAC time是如何工作的,再做一次主MAC time。
OK? To understand how does-- how to run this MAC time.
好吗?为了理解如何——如何运行这个MAC时间。
The option is very simple because it requires have a body file.
该选项非常简单,因为它需要一个正文文件。
So, dash B means body.
所以,破折号B意味着身体。
Then I grab in one here.
然后我在这里抓住一个。
So, this is the body file I want to create.
所以,这是我想要创建的正文文件。
Now, if I push enter, that will-- the output will be on the screen, but I want to redirect.
现在,如果我按下输入,那将 - 输出将在屏幕上,但我想重定向。
And then one more option I would like to add is dash D, which says--
puts a deliminator [phonetic] as a comma separate.
然后我想添加的另一个选项是破折号D,它表示 - 将分隔符[拼音]作为逗号分隔。
It's for easy for me to read later on then I create a file called MAC time FLS.
我以后可以轻松阅读,然后创建一个名为MAC time FLS的文件。
I want to give myself meaningful information.
我想给自己一些有意义的信息。
And I give it to be CSV and to be easy to open it up.
我把它作为CSV并且很容易打开它。
OK. So, let's create that.
好。 所以,让我们创造它。
OK. So, this file created, now let's open it.
好。 所以,这个文件创建了,现在让我们打开它。
So, if-- now if you look into it, it give you very clear information about this is the time.
所以,如果 - 现在,如果你研究它,它会给你非常明确的信息,这是时间。
So, here this happened at the same time what happened.
所以,这里发生了同样的事情。
OK? So, this is the-- at this particular time, those files changed.
好? 所以,这就是 - 在这个特定的时间,这些文件发生了变化。
This file changed MAC time.
此文件更改了MAC时间。
Now, I have already talked about that, the MAC here,
and then now in this case it uses four timestamps, MAC and the birth.
现在,我已经在这里讨论了MAC,然后现在在这种情况下,它使用了四个时间戳,MAC和诞生。
OK? If there's a dot, means M. M does not change here.
好? 如果有一个点,意味着M. M在这里不会改变。
M is changing later.
M正在改变。
You will find the same file name and then modified later, but in this case, only access.
您将找到相同的文件名,然后稍后进行修改,但在这种情况下,只能访问。
Last access is here.
最后访问在这里。
So, this file actually never be accessed again in the later
because that's the latest access time.
因此,实际上永远不会再次访问此文件,因为这是最新的访问时间。
Late access time.
延迟访问时间。
And then for this file, for example, last modified
and the last changed time is at this particular second.
然后对于此文件,例如,上次修改,最后一次更改时间是在此特定秒。
That means it will never be modify and then change again later, but it is accessed later.
这意味着它永远不会被修改,然后在以后再次更改,但稍后会访问它。
It is accessed later.
稍后访问它。
So, that's why the A is missing.
所以,这就是A缺失的原因。
OK. So, in this way, it's very easy to sort it on the-- based on the sec time--
date time and then back to seconds-- sort all of the information.
好。 因此,通过这种方式,可以很容易地对它进行排序 - 基于秒时间 - 日期时间然后再返回秒 - 对所有信息进行排序。
If you see the same seconds happen-- have a long, long chunk happened in the same second,
that means some nonhuman action happened, like compile and all those actually happened
and you should pay attention to it.
如果你看到相同的秒发生 - 在同一秒发生一个很长的长块,这意味着发生了一些非人类行为,比如编译和所有那些实际发生的事情,你应该注意它。
And, definitely, we also create last time--
we also created the ILS body and you can use MAC time the same way
to create CSV file and to look at the ILS body.
而且,当然,我们也创建了上一次 - 我们还创建了ILS主体,您可以使用相同的方式创建CSV文件和查看ILS正文。
So, then for that file, the difference between FLS is this file does not--
the ILS body does not contain file name information.
那么,对于该文件,FLS之间的区别是此文件没有 - ILS正文不包含文件名信息。
That's the only difference.
这是唯一的区别。
All right.
So, I will stop here.
所以,我会在这里停下来。
Hope for-- hopefully you enjoy it.
希望 - 希望你喜欢它。
95
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
