Saturday, March 8, 2014

Daylight Savings Time Exploration

Daylight savings time change and operating system adoption to the change as well as file system and application logs can "eat your lunch" if you are not prepared for in case analysis.  User actions are the artifacts that you are supposed to reveal, but being off an hour in your analysis can be devastating to the case.  So, don't just read and understand registry keys and the concept of time change, but be able to verify the way the changes will take effect before you are faced with a case with this issue.

Monitor the changes over night as they happen

March and November are the months that gives you the opportunity to test the effects of daylight savings time changes in real time.  A day before the change, you can create a simple batch file to create files on your system one minute at a time.  It will create the files as the time rolls over and the daylight savings time takes effect. 

Create the following batch file and schedule it to run from 11PM to 4AM

REM schedule with
REM C:\Windows\system32>schtasks /create /TN daylight_change /SC MINUTE /MO 1 /TR c:
\monitor.bat /SD 03/08/2014 /ED 03/09/2014 /ST 23:00 /ET 04:00
REM if not using /K to terminate the task, then you can manually remove it
REM schtasks /delete /TN daylight_change /f
REM you can schedule tasks in GUI by running
REM control schedtasks
REM or
REM taskschd.msc
@echo OFF
for /f "tokens=2-4 delims=/ " %%a in ('date /T') do set month=%%a
for /f "tokens=2-4 delims=/ " %%a in ('date /T') do set day=%%b
for /f "tokens=2-4 delims=/ " %%a in ('date /T') do set year=%%c
for /f "tokens=1-3 delims=:/ " %%a in ('time /T') do set hour=%%a
for /f "tokens=1-3 delims=:/ " %%a in ('time /T') do set minute=%%b
for /f "tokens=1-3 delims=:/ " %%a in ('time /T') do set tod=%%c
set time=%month%%day%%year%%hour%%minute%%tod%
dir c:\ > c:\temp\file_%time%.txt

Note: Windows XP does not support /ET and /ST must be in HH:MM:SS format i.e. 23:00:00

Code it to Learn It
Create code and understand the SYSTEMTIME structure that Microsoft uses that might be helpful in other structure analysis later as you investigate new artifacts.  Understanding structures helps you develop pattern recognition for closed source systems where low level analysis is needed.  Structures are the easier to understand for new to programming if you run some code that uses structures.  The TimeZoneInformation registry key can give you a good example of SYSTEMTIME usage and you can use the values to verify your understanding of structures as they are stored.  Pay attention to data types especially the size of WORD.  You can compile the following code in Visual Studio that should be free to download for students from DreamSpark ( https://www.dreamspark.com/ ) or use a free compiler like Dev-C++ ( http://sourceforge.net/projects/orwelldevcpp/ )

 Always use reliable resource as you form your opinion on how data structures work by reading the vendor or developer's documentation and not someone else's interpretation.

http://msdn.microsoft.com/en-us/library/ms724950(v=VS.85).aspx

/*
Read time zone information from registry
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\TimeZoneInformation
Value 2
  Name:            StandardStart
  Type:            REG_BINARY
  Data:           
00000000   00 00 0b 00 01 00 02 00 - 00 00 00 00 00 00 00 00
Value 6
  Name:            DaylightStart
  Type:            REG_BINARY
  Data:           
00000000   00 00 03 00 02 00 02 00 - 00 00 00 00 00 00 00 00
Understand the SYSTEMTIME structure
          typedef struct _SYSTEMTIME {
                WORD wYear;                // 1601 - 30827 
                WORD wMonth;               // Jan(1) - Dec(12)
                WORD wDayOfWeek;           // Sun(0) - Sat(6)
                WORD wDay;                 // 1 - 31
                WORD wHour;                // 0 - 23
                WORD wMinute;              // 0 - 59
                WORD wSecond;              // 0 - 59
                WORD wMilliseconds;        // 0 - 999
         } SYSTEMTIME, *PSYSTEMTIME;
*/
//Experiment with time values
#include <windows.h>  // GetSystemTime, GetLocalTime, SYSTEMTIME
#include<iostream>    //cin , cout, endl
//#include <stdio.h>  //printf
#include <fstream>    // ifstream, ofstream - file stream handling
#include <ctime>      //time_t, time(), localtime()
#include<iomanip>     //setw(), setfill()
using namespace std;
int main()
{
    ofstream outFile;
    //log the file times into c:\temp\time_output.txt by appending the values
 outFile.open("c:\\temp\\time_output.txt",ios::app);
 SYSTEMTIME st, lt;
   
    GetSystemTime(&st);
    GetLocalTime(&lt);
   
    //printf("The system time is: %02d:%02d\n", st.wHour, st.wMinute);
    //printf(" The local time is: %02d:%02d\n", lt.wHour, lt.wMinute);
   
    cout<<"The system time is: "<<setw(5)<<st.wHour<<":"<<st.wMinute<<endl;
    cout<<" The local time is: "<<setw(5)<<lt.wHour<<":"<<lt.wMinute<<endl<<endl;
   
    outFile<<"The system time is: "<<setw(5)<<st.wHour<<":"<<st.wMinute<<endl;
    outFile<<" The local time is: "<<setw(5)<<lt.wHour<<":"<<lt.wMinute<<endl;
   
    outFile.close();
/*  
   struct tm {
  int tm_sec;   // seconds of minutes from 0 to 61
  int tm_min;   // minutes of hour from 0 to 59
  int tm_hour;  // hours of day from 0 to 24
  int tm_mday;  // day of month from 1 to 31
  int tm_mon;   // month of year from 0 to 11
  int tm_year;  // year since 1900
  int tm_wday;  // days since sunday
  int tm_yday;  // days since January 1st
  int tm_isdst; // hours of daylight savings time
}
*/

   // current date/time based on current system
   time_t now = time(0);
   cout << "Number of seconds since January 1, 1970: " << now << endl<<endl;
   tm *ltm = localtime(&now);
  
      // print various components of tm structure.
   cout << " Year: "<<setw(11)<< 1900 + ltm->tm_year << endl;
   cout << "Month: "<< setw(11)<<1 + ltm->tm_mon<< endl;
   cout << "  Day: "<<setw(11)<<  ltm->tm_mday << endl;
   cout << " Time: "<<setw(5)<< 1 + ltm->tm_hour << ":";
   cout << 1 + ltm->tm_min << ":";
   cout << 1 + ltm->tm_sec << endl;
  
    return 0;
}

Note: Newer compilers will not allow to use deprecated function localtime().  Use localtime_s() instead.
struct tm timeinfo;
localtime_s(&timeinfo, &now); 
        cout << " Year: " << setw(11) << 1900 + timeinfo.tm_year << endl;


UTC time stamps provide a more consistent view of file metadata.
Filename Size (bytes) Created Modified Accessed
file03092014-01_54_AM.txt 102262 2014-Mar-09 07:54:00.171875 UTC 2014-Mar-09 07:54:00.203125 UTC 2014-Mar-09 07:54:00.203125 UTC
file03092014-01_55_AM.txt 102262 2014-Mar-09 07:55:00.156250 UTC 2014-Mar-09 07:55:00.187500 UTC 2014-Mar-09 07:55:00.187500 UTC
file03092014-01_56_AM.txt 102262 2014-Mar-09 07:56:00.156250 UTC 2014-Mar-09 07:56:00.187500 UTC 2014-Mar-09 07:56:00.187500 UTC
file03092014-01_57_AM.txt 102262 2014-Mar-09 07:57:00.156250 UTC 2014-Mar-09 07:57:00.187500 UTC 2014-Mar-09 07:57:00.187500 UTC
file03092014-01_58_AM.txt 102262 2014-Mar-09 07:58:00.156250 UTC 2014-Mar-09 07:58:00.187500 UTC 2014-Mar-09 07:58:00.187500 UTC
file03092014-01_59_AM.txt 102262 2014-Mar-09 07:59:00.156250 UTC 2014-Mar-09 07:59:00.187500 UTC 2014-Mar-09 07:59:00.187500 UTC
file03092014-03_00_AM.txt 102262 2014-Mar-09 08:00:00.156250 UTC 2014-Mar-09 08:00:00.187500 UTC 2014-Mar-09 08:00:00.187500 UTC
file03092014-03_01_AM.txt 102262 2014-Mar-09 08:01:00.156250 UTC 2014-Mar-09 08:01:00.187500 UTC 2014-Mar-09 08:01:00.187500 UTC
file03092014-03_02_AM.txt 102262 2014-Mar-09 08:02:00.265625 UTC 2014-Mar-09 08:02:00.328125 UTC 2014-Mar-09 08:02:00.328125 UTC
file03092014-03_03_AM.txt 102262 2014-Mar-09 08:03:00.156250 UTC 2014-Mar-09 08:03:00.187500 UTC 2014-Mar-09 08:03:00.187500 UTC
file03092014-03_04_AM.txt 102262 2014-Mar-09 08:04:00.156250 UTC 2014-Mar-09 08:04:00.187500 UTC 2014-Mar-09 08:04:00.187500 UTC

1 comment:

  1. To monitor "fall back" schedule the following task and post your findings here.
    c:\>schtasks /create /TN daylight_change /SC MINUTE /MO 1 /TR c:\monitor.bat /sd 11/01/2014 /ED 11/02/2014 /ST 23:00 /ET 04:00

    ReplyDelete