Surviving Digital Forensics: Understanding OS X Time Stamps

Build core computer forensic skills and learn how to interpret & validate Mac OS X dates & times
4.6 (10 ratings) Instead of using a simple lifetime average, Udemy calculates a
course's star rating by considering a number of different factors
such as the number of ratings, the age of ratings, and the
likelihood of fraudulent ratings.
84 students enrolled
$25
Take This Course
  • Lectures 18
  • Contents Video: 1 hour
    Other: 0 mins
  • Skill Level All Levels
  • Languages English
  • Includes Lifetime access
    30 day money back guarantee!
    Available on iOS and Android
    Certificate of Completion
Wishlisted Wishlist

How taking a course works

Discover

Find online courses made by experts from around the world.

Learn

Take your courses with you and learn anywhere, anytime.

Master

Learn and practice real-world skills and achieve your goals.

About This Course

Published 10/2014 English

Course Description

Welcome to the Surviving Digital Forensics series. This class is focused on helping you get a better understanding of OS X Time Stamps and to become a better Mac examiner.

As with previous SDF classes you will learn by doing. The class begins with a brief overview of OS X time - as Apple sees it - then we will get into a number of validation exercises to see how user activity really affects Apple time stamps. Learning is hands on and we will use applications already installed on your Mac to do so.

Expert and novice Mac examiners alike will gain from this class. Since we are doing it the SDF way we are going to teach you real computer forensic skills that you can apply to all versions of OS X. Therefore you are not just going to learn about OS X timestamps but learn a method you can use to answer many date and time questions that may come up in the future.

Class Outline

1. Introduction and Welcome to the SDF series

2. What this class is all about

3. How to get the most of this class

4. The finer points of OS X dates and times

5. Time from a User's point-of-view

6. Apple metadata timestamps & the MDLS command

7. Latency issues

8. Validation Exercise: New file

9. Validation Exercise: Modified file

10. Validation Exercise: Moving file within same volume

11. Validation Exercise: Moving file to a different volume

12. Validation Exercise: Accessing a file

13. Validation Exercise: Downloading a file

14. Validation Exercise: Deleting a file

15. Summary of findings

16. Thoughts on time attribute artifacts

17. Conclusion & final thoughts

What are the requirements?

  • Mac computer
  • USB Flash Drive

What am I going to get from this course?

  • Students will learn about OS X timestamps as Apple defines them
  • Students will learn how OS X timestamps really behave by doing a number of instructor lead validation exercises that address the affects of common user activity
  • Students will learn how to use the Terminal.app in order to find OS X date & time attributes
  • Students will learn a validation methodology which may be applied to answer future date and time attribute questions
  • Students will learn a validation methodology which may be applied to different versions of OS X

What is the target audience?

  • Computer forensic analysts
  • IT Professionals
  • Students

What you get with this course?

Not for you? No problem.
30 day money back guarantee.

Forever yours.
Lifetime access.

Learn on the go.
Desktop, iOS and Android.

Get rewarded.
Certificate of completion.

Curriculum

Section 1: Introduction
Welcome to the SDF Series
Preview
05:07
01:06

Let's talk a little about this class before we get started.

01:42

These are just a few simple things you can do to create to create a beneficial training environment for yourself.

Section 2: Understanding OS X Time Stamps
03:40

In this section you will be introduced to Apple File System time values and Apple Metadata Time values. It is important to understand the difference in order to explain findings.

01:00

It is always a good idea to see things from a user's point-of-view. It is important to understand what a user sees and does not see natively on a Mac. This may come into play later during artifact time interpretation. Let's take a closer look now.

04:06

Next up Apple Timestamps and how to pull out the values using the Terminal. I use this a lot day to day and I'm sure you will find it useful not only for time values but as a method to access the different types of metadata associated with a file.

Section 3: Learning How to Test & Validate OS X Time Stamps
01:33

Latency may be a problem. We are going to be experimenting with files which means OS X is going to have to keep updating the metadata on our test files. This section is a brief discussion on the latency issues you should be aware of.

06:41

This is our first date and time validation test. To get a base line we will create a new file and look at the time properties.

Steps:

1. Open Textedit.app

2. Create a new RTF document and add some text

3. Save it to your Desktop

4. Open Terminal.app and run MDLS against it

5. Examine the file's time properties and note the values in your worksheet

03:50

Our next validation test will explore the changes that are made when a file is edited.

Steps:

1. Edit the test file by adding text to it using Textedit.app

2. Save the file and close it

3. Open Terminal.app and run MDLS against it

4. Examine the file's time properties and note the values in your worksheet, note the differences between this file's time properties and the file properties of the new file we created

03:38

In this test we are simply going to access our test file.

1. Open the test file using Textedit.app

2. Do not make any changes, just close it

3. Open Terminal.app and run MDLS against it

4. Examine the file's time properties and note the values in your worksheet, note which time properties have changed and the new values

02:13

In this exercise we will move the file to a different location on the same volume and see the results.

1. Create a new folder on your Desktop

2. Drag and drop the test file into the new folder

3. Open Terminal.app and run MDLS against it

4. Examine the file's time properties and note the values in your worksheet

06:17

In this exercise we will move the file to a different location on a DIFFERENT volume and see the results.

1. Create a new folder on and HFS formatted USB drive

2. Drag and drop the test file into the new folder

3. Open Terminal.app and run MDLS against it

4. Examine the file's time properties and note the values in your worksheet

10:47

How downloading a file affects date and time stamps if often a topic in a computer forensic exam. Let's see what happens with this in OS X.

1. Download a larger file such a the Paladin ISO image available at Sumuri.com (this way you get the added benefit of a free computer forensic tool as part of the test)

2. Note the time the file download begins and ends

3. Open Terminal.app and run MDLS against it

4. Examine the file's time properties and note the values in your worksheet

02:00

Ah yes, file deletion. If I only had a bitcoin for every time I was asked if I could tell when a file was deleted...

Since this topic comes up a lot let's do a validation test to see what time artifacts we get on OS X.

1. Deleted the test file from the folder on your Desktop by dragging it to the Trash

2. Open your Trash folder

3. Open Terminal.app and run MDLS against it

4. Examine the file's time properties and note the values in your worksheet

Summary of Findings
02:16
Section 4: Conclusion
03:07

Understanding OS X dates and times and knowing how to interpret them through validation testing will definitely aid you when conducting Mac exams. Are you ready for the next step? Timelines! This is where this should ultimately lead you to. The following is just my thoughts on how to bring your Mac exams to the next level by incorporating both time artifact analysis and building timelines.

OS X Timestamps Quiz
4 questions
01:11

I hope you enjoyed the class and feel more confident in dealing with OS X times. Here are some remaining thoughts I have about the topic and Mac exams.

Check out other classes at http://sumuri.com/training/surviving-digital-forensics/

Follow me on Twitter @LeclairDF to get the latest happenings of the SDF series.

Check out our Blog at http://sumuri.com/about/news/

Check out our Youtube channel https://www.youtube.com/user/SumuriNews

How to get your Udemy Certificate
Article

Students Who Viewed This Course Also Viewed

  • Loading
  • Loading
  • Loading

Instructor Biography

Michael Leclair, Computer Forensic Analyst

Over twelve years of experience as a Computer Forensic Analyst, author and developer of computer forensic training and analysis tools. Specialties include: Windows forensics, Mac forensics, iOS forensics, Mac Server forensics & mobile device forensics. Creator of the "Surviving Digital Forensics" series and part of SUMURI's RECON for Mac OS X development team.

Certifications include: CFCE, CISSP, CCE, EnCE, A+, Network+

Regularly instruct law enforcement, government and corporate investigators both nationally and internationally in computer forensics.

Ready to start learning?
Take This Course