Re:Contain highly technical content :) (Score 3, Informative)

You have asked a question we would like more people in our industry to ask! My (this is Mark Spencer) last two articles in Digital Forensics Magazine introduced the Anchors in Relative Time analysis technique and included examples of cases in which it was applied. I'm going to try and strike a compromise in my explanation below between my technical articles and the Motherboard article:

What do you do if you need to analyze a Windows computer but already have reason not to trust any of its dates and times? One option is to identify events which have occurred in a particular order regardless of any associated dates and times. Let's take just two types of events (related to file system transactions) into consideration for now. File system transactions in the NTFS $LogFile and $UsnJrnl metafiles increment via Log Sequence Numbers (or LSNs) and Update Sequence Numbers (or USNs), respectively. It does not matter whether someone was manipulating the clock during these transactions or if someone manipulated dates and times in the $MFT (related to files and folders associated with the transactions) after the fact - the LSNs and USNs have still incremented in an orderly fashion.

So where do you go now? You can start identifying "legitimate" and "illegitimate" anchors. Windows startups and shutdowns result in a flurry of activity in the $LogFile and $UsnJrnl metafiles. You could model what those flurries look like on the computer in question and determine, in relative time and regardless of any dates and times, when Windows startups and shutdowns occurred. Once you have established Windows startup and shutdown anchors (which we have done not only on Windows boot volumes but auxiliary volumes as well), you can then start putting the more entertaining stuff into context with them.

Does this basic concept make sense? I only focused on Windows and a couple simple event types here (some others require multiple elements in order to determine an increment), but once you understand the basic concept you can do really powerful things from there. The basic concept is not that complex, but applying it can be a major hassle... in the Odatv case, the hassle was well warranted.

On a side note, there has been enough interest in this case that I'm planning on putting a detailed case study on our website at https://arsenalexperts.com/Cas.... It also happens to be one of the few cases we're able to talk about without restrictions, so I'm motivated to drink enough coffee to get it done.