Time Zone Artifacts

Time zone and clock information are vital points in an investigation. An examiner must be able to confirm the time zone setting to make accurate representations of dates retained on disk. Likewise, the examiner must confirm the system clock for accuracy. OS X incorporates various settings to ensure the system time is accurate.

 

 

The ‘Date & Time’ preference pane, found in the user's 'System Preferences' window, includes specific settings of importance. This first setting is in the sub-pane, which is also named ‘Date & Time.' It contains the checkbox Set date and time automatically and allows the user to select a time server to connect to, depending on the desired region. For automatic time zone adjustments to occur, a user must have Wi-Fi enabled and an internet connection properly established.

 

 

The second setting is found within the sub-pane of ‘Date & Time’ called ‘Time Zone.’ It contains options for automatically setting the time zone based on the user’s location, as well as the ability to manually set the time zone if desired. When Set time zone automatically using current location is enabled, the ‘System Preferences’ pane will show a red pin designating the user’s location.

 

 

The last setting, separate from the OS X time zone setting, is part of the calendar application "Calendar" (or iCal on older Macs). The application has its own internal handling of time zones. "Time zone support" is enabled within Calendar by navigating to the Calendar Preferences, selecting the advanced tab, and enabling the "Turn on time zone support" checkbox.

The system clock must be accessed with the Mac live, using a tool such as MacQuisition, the Recovery hard drive, or Single User Mode if available. The settings noted above are all found during analysis in the respective .plist files on the system.

Armed with all of this information, an analyst can properly show off system date stamps, embedded date stamps within files, and overall, compile a more meaningful report of analysis.

Leave a Reply

Sorry, you must be logged in to post a comment.