Name: Surviving Digital Forensics: Understanding OS X Time Stamps
Rating: 4.4 (69 reviews)

Udemy Business

Teach on Udemy

Turn what you know into an opportunity and reach millions around the world.

Learn More

Your cart is empty.

Keep shopping

Created byMichael Leclair

Last updated 10/2014

English

What you'll learn

Students will learn about OS X timestamps as Apple defines them
Students will learn how OS X timestamps really behave by doing a number of instructor lead validation exercises that address the affects of common user activity
Students will learn how to use the Terminal.app in order to find OS X date & time attributes
Students will learn a validation methodology which may be applied to answer future date and time attribute questions
Students will learn a validation methodology which may be applied to different versions of OS X

Course content

4 sections • 18 lectures • 1h 0m total length

Welcome to the SDF Series5:07
What this class is about1:06
Let's talk a little about this class before we get started.
How to get the most out of this course1:42
These are just a few simple things you can do to create to create a beneficial training environment for yourself.

The Finer Points of OS X Time Stamps3:40
In this section you will be introduced to Apple File System time values and Apple Metadata Time values. It is important to understand the difference in order to explain findings.
Time from a User's Point-of-View1:00
It is always a good idea to see things from a user's point-of-view. It is important to understand what a user sees and does not see natively on a Mac. This may come into play later during artifact time interpretation. Let's take a closer look now.
Apple Metadata Time Stamps & the MDLS command4:06
Next up Apple Timestamps and how to pull out the values using the Terminal. I use this a lot day to day and I'm sure you will find it useful not only for time values but as a method to access the different types of metadata associated with a file.

Beware of Latency Issues!1:33
Latency may be a problem. We are going to be experimenting with files which means OS X is going to have to keep updating the metadata on our test files. This section is a brief discussion on the latency issues you should be aware of.
Validation Exercise: Creating a File6:41
This is our first date and time validation test. To get a base line we will create a new file and look at the time properties.

Steps:

1. Open Textedit.app

2. Create a new RTF document and add some text

3. Save it to your Desktop

4. Open Terminal.app and run MDLS against it

5. Examine the file's time properties and note the values in your worksheet
Validation Exercise: Editing a File3:50
Our next validation test will explore the changes that are made when a file is edited.

Steps:

1. Edit the test file by adding text to it using Textedit.app

2. Save the file and close it

3. Open Terminal.app and run MDLS against it

4. Examine the file's time properties and note the values in your worksheet, note the differences between this file's time properties and the file properties of the new file we created
Validation Exercise: Accessing a File3:38
In this test we are simply going to access our test file.

1. Open the test file using Textedit.app

2. Do not make any changes, just close it

3. Open Terminal.app and run MDLS against it

4. Examine the file's time properties and note the values in your worksheet, note which time properties have changed and the new values
Validation Exercise: Moving a File within the same Volume2:13
In this exercise we will move the file to a different location on the same volume and see the results.

1. Create a new folder on your Desktop

2. Drag and drop the test file into the new folder

3. Open Terminal.app and run MDLS against it

4. Examine the file's time properties and note the values in your worksheet
Validation Exercise: Moving a File to a Different Volume6:17
In this exercise we will move the file to a different location on a DIFFERENT volume and see the results.

1. Create a new folder on and HFS formatted USB drive

2. Drag and drop the test file into the new folder

3. Open Terminal.app and run MDLS against it

4. Examine the file's time properties and note the values in your worksheet
Validation Exercise: Downloading a File10:47
How downloading a file affects date and time stamps if often a topic in a computer forensic exam. Let's see what happens with this in OS X.

1. Download a larger file such a the Paladin ISO image available at Sumuri.com (this way you get the added benefit of a free computer forensic tool as part of the test)

2. Note the time the file download begins and ends

3. Open Terminal.app and run MDLS against it

4. Examine the file's time properties and note the values in your worksheet
Validation Exercise: Deleting a File2:00
Ah yes, file deletion. If I only had a bitcoin for every time I was asked if I could tell when a file was deleted...

Since this topic comes up a lot let's do a validation test to see what time artifacts we get on OS X.

1. Deleted the test file from the folder on your Desktop by dragging it to the Trash

2. Open your Trash folder

3. Open Terminal.app and run MDLS against it

4. Examine the file's time properties and note the values in your worksheet
Summary of Findings2:16

Thoughts on Time Attribute Artifacts3:07
Understanding OS X dates and times and knowing how to interpret them through validation testing will definitely aid you when conducting Mac exams. Are you ready for the next step? Timelines! This is where this should ultimately lead you to. The following is just my thoughts on how to bring your Mac exams to the next level by incorporating both time artifact analysis and building timelines.
OS X Timestamps Quiz
Conclusion & Final Thoughts1:11
I hope you enjoyed the class and feel more confident in dealing with OS X times. Here are some remaining thoughts I have about the topic and Mac exams.

Check out other classes at http://sumuri.com/training/surviving-digital-forensics/

Follow me on Twitter @LeclairDF to get the latest happenings of the SDF series.

Check out our Blog at http://sumuri.com/about/news/

Check out our Youtube channel https://www.youtube.com/user/SumuriNews
How to get your Udemy Certificate0:14

Requirements

Mac computer
USB Flash Drive

Description

Welcome to the Surviving Digital Forensics series. This class is focused on helping you get a better understanding of OS X Time Stamps and to become a better Mac examiner.

As with previous SDF classes you will learn by doing. The class begins with a brief overview of OS X time - as Apple sees it - then we will get into a number of validation exercises to see how user activity really affects Apple time stamps. Learning is hands on and we will use applications already installed on your Mac to do so.

Expert and novice Mac examiners alike will gain from this class. Since we are doing it the SDF way we are going to teach you real computer forensic skills that you can apply to all versions of OS X. Therefore you are not just going to learn about OS X timestamps but learn a method you can use to answer many date and time questions that may come up in the future.

Class Outline

1. Introduction and Welcome to the SDF series

2. What this class is all about

3. How to get the most of this class

4. The finer points of OS X dates and times

5. Time from a User's point-of-view

6. Apple metadata timestamps & the MDLS command

7. Latency issues

8. Validation Exercise: New file

9. Validation Exercise: Modified file

10. Validation Exercise: Moving file within same volume

11. Validation Exercise: Moving file to a different volume

12. Validation Exercise: Accessing a file

13. Validation Exercise: Downloading a file

14. Validation Exercise: Deleting a file

15. Summary of findings

16. Thoughts on time attribute artifacts

17. Conclusion & final thoughts

Who this course is for:

Computer forensic analysts
IT Professionals
Students

What you'll learn

Explore related topics

Course content

Introduction3 lectures • 8min

Understanding OS X Time Stamps3 lectures • 9min

Learning How to Test & Validate OS X Time Stamps9 lectures • 39min

Conclusion3 lectures • 5min

Requirements

Description

Who this course is for: