Methodology

Time and Forensics

by Simon Biles

Time fascinates me, it has an amazing history and it has some great “toys”. One of my favourite quotes of all time is from Groucho Marx: “Time flies like an arrow, fruit flies like a banana.” I was also bitterly disappointed to hear this week that time travel isn’t possible [1] – so if you see a second hand flux-capacitor on e-bay – it might be mine …

If you haven’t been to the base of time at the Royal Observatory in Greenwich [2] I’d thoroughly recommend it (they’ve also moved the London Planetarium down there, which I’ve not seen, but I understand is great) – there is an excellent museum there showing the development of timekeeping technology and the impact it has had on history. You can also jump the meridian and move from the Eastern to the Western hemisphere and back again.

In terms of “toys” – time is amazing – I have two main watches [3] at opposite ends of the spectrum – my “rough” watch is a Casio G-Shock – radio controlled [4], solar powered and nigh on indestructible (although my son broke his …) – my “dress” watch is a Swiss watch still using real clockwork, that is beautifully visible through the case, that I have to wind up and manually set – both are amazing in their own way – on one side technology that could never have been imagined by the first watch maker, on the other something that he would recognise, but would only have dreamt of the tools and refinement that are available to manufacture it today.

The other amazing thing about time is that it is something the passage of which, can, to the observer at least, be decidedly variable. I’ve sat in lessons that have seemed to last for ages over the time they actually were, and yet, in exams for the same subject there seems to be far less time that than was allocated, and far, far less time than was needed ! Time is different even depending on the location of the observer – lunch time in the UK can be breakfast in the US. And it does even, genuinely, slow down as you travel faster [5].

The truth of the matter though, is that time, however you measure it, is both measurable and unvarying. A second is a second [6], a minute sixty seconds, an hour 60 minutes and so on [7]. And, until proved otherwise, one moment follows another and there is no going back. If something happened, it has happened, it happened at its place in time, and there is nothing that you can do about it now.

And this is where the Forensic Analyst steps in – the reconstruction of a sequence of events over a period of time is what the whole task is about – it’s absolutely no use knowing that a computer was used to do something if you can’t show that Joe Bloggs [8] was there _at the same time_.

In the security world, we like time as well. We synchronise things all over the place, be they multi-factor authentication tokens (1 minute lifespan on RSA SecurID tokens) or Kerberos tickets (5 minutes maximum deviation before rejection by default). We even have been known to restrict access according to the clock – the bank opens at 9am, therefore we won’t allow the safe to open any earlier than 8:55am – the same can be true of banking computer systems. We also care about the order that things happen – race conditions [9] are a real pain and very easy to create (and in fact, I had to modify the code of PitchLake in order to get rid of one that I’d missed).

My Forensic mentors taught me to be very careful of time – to look at what the system clock is reading, to look for changes to the clock in the logs, to be wary of time zones and to correlate wherever possible. I didn’t have any Security mentors sadly, but I learnt early on, as a SysAdmin running a heterogeneous network, that time synchronisation is a very useful thing – diagnosing problems between machines where the logs don’t line up is a nightmare! When I wrote about Kerberos [10], one of the very first chapters that I did was on time synchronisation.

Fortunately, from everyone’s point of view, as time synchronisation becomes more of an issue with networked and distributed services (that’s “cloud computing” in marketing speak) we should see a far better implementation of a universal time across all computers. The Network Time Protocol [11] (NTP) is well defined and implemented now in pretty much anything that you might come across – I’ve just put an NTP client on my Android phone for example! [12] Ultimately this will mean that, when we see a time in a log, we can, more or less (verify _EVERYTHING_) accept that it is the truth.

As a parting shot, I leave you with the dulcet tones of the speaking clock, which is 75 years old this month [13] – it shares its number with the port number for NTP – 123 …

At the third stroke the time will be …
Click here to discuss this article or leave a comment below.

About the Author Simon Biles is a founder of Thinking Security Ltd., an Information Security and Risk Management consultancy firm based near Oxford in the UK.

[1] http://www.theregister.co.uk/2011/07/26/time_travel_disproven/

[2] http://www.nmm.ac.uk/places/royal-observatory/

[3] Yeah, I know – but there are so many beautiful watches! I’m working on it …

[4] http://www.npl.co.uk/science-technology/time-frequency/time/products-and-services/msf-radio-time-signal

[5] http://en.wikipedia.org/wiki/Time_dilation

[6] The second is the duration of 9,192,631,770 periods of the radiation corresponding to the transition between the two hyperfine levels of the ground state of the caesium 133 atom. ( Thank you Wikipedia ! )

[7] Although a day isn’t actually 24 hours … It’s slightly longer, which is why every so often we need a leap year to make up the gap …

[8] A.K.A John Doe for our American friends.

[9] http://en.wikipedia.org/wiki/Race_condition

[10] http://www.thinking-security.co.uk/BUDS.pdf

[11] http://www.ntp.org

[12] http://www.androidtapp.com/clocksync/

[13] http://www.reghardware.com/2011/07/22/speaking_clock_celebrates_75_year_anniversary/

Discussion

No comments yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: