Saturday, June 4, 2011

Beware The BST Monster

Not too long ago I was reviewing a timeline that was created by an outside organization and I couldn’t figure out why this timeline was stating that a file was accessed an hour before the same timeline said it was downloaded and appeared on the computer in question.  As I dug into it more, I found similar issues and it became clear to me that the examiner who had prepared the timeline had been attacked by the dreaded BST monster. 

A common misconception that I have seen over the years is that London is always in Greenwich Mean Time and never moves from +0000. An examiner will set the time zone on their Windows forensic machine to the GMT time zone with London in the title and assume that the machine is working in Coordinated Universal Time (UTC).  The problem is that London (and the rest of the United Kingdom) uses British Summer Time in the summer months which is +0100. The issue is that some digital forensic tools adjust their results to match the time zone of the examination machine. This problem can manifest itself when an examiner creates what they think is a UTC timeline using many different forensic programs, but wind up with a timeline that actually part UTC and part BST. It’s also important to remember that this problem can appear in other geographical areas that use summer time zones such as Western European Summer Time and Irish Standard Time.

The way to avoid the dreaded BST monster is to make sure that your examination machine is set to true UTC time zone. In Windows 7, for example, there is an actual time zone labeled “UTC Coordinated Universal Time” that can be used. The other way to avoid this is to understand how your forensic tools report date and time data and what, if any, adjustments the make for time zone settings. Some tools will adjust their settings based on what time zone your examination machine is in and others will allow the examiner to set how time zone issues are to be handled.  This is one of the things that I really like about EnCase because it allows the examiner to easily review and modify the time zone that it is set to report its results in.

Personal Thin Clients?

I’m still hearing skepticism in the information security and digital forensics world about the future sustainability of cloud computing, but I’m not one of the skeptics.  It’s here to stay in part because of increasingly affordable and reliable  high speed wireless access and a growing number of people who are poly-device users. While it might not be the norm yet, I’m seeing an expanding number of people who have devices such as desktops, laptops, smartphones, gaming devices (console and portable), and tablets and use them frequently. If a user is accessing their documents, music, email, photos, videos and other data frequently from many different devices, there is going to be a strong draw to a system that allows users to access their data from one central source (AKA The Cloud) without having to wade through trying to keep all of the data synchronized on many devices.

Now where I am a bit of a skeptic is with Google’s Chrome OS that will be entering the market very soon. It’s not that I don’t think it is a partial vision of our technological future, but I don’t think the speed and availability of wireless networks is at a place where the average consumer is going to feel comfortable using a laptop that requires network access to do most of what it’s designed to do. The nice thing about more traditional computing devices like laptops is that you can still be reasonably productive without an active network connection.

Regardless, I still find the concept of a Chrome style OS fascinating. It used to be that discussions of thin client computing revolved primarily around its viability in enterprise level computing. However, if the Chrome OS model does become popular, it means that it would have succeeded on a broad scale in the consumer market long before it did in the enterprise market.

The Broad Threat of Chinese Cyber Espionage

I ran across an excellent article by Richard Clarke recently that was posted on the website of the Belfer Center at Harvard’s Kennedy School. Clarke explains clearly and concisely that Chinese cyber espionage is actively and aggressively targeting a broad spectrum of industries around the globe and is not just confined to targeting the United States government and its contractors. This ties in nicely with what Richard Bejtlich recently pointed out over at his blog, which is that what ultimately counts is what the Chinese think about the utility of cyberwar rather than what we think about it. They have clearly decided that aggressively waging this sort of warfare against both governments and private industry is in its national interest.

What this means is that if you are working in an industry that is of interest to the Chinese government, it is very likely that you are going to be targeted in a similar manner to what the United States government and its contractors. This means that your network could very well be another front in this ongoing cyberwar. As Clarke points out in his article, the United States government is limited in what it can do to directly protect private networks. Therefore, it is up to private information security professionals to educate themselves and their organizations and aggressively engage in defending their networks in the name of the long term health of their organizations and the country as a whole.

A silver lining in this for those of us in the private sector information security world is that that we don’t necessarily have to be directly working for the government to be making a contribution to their efforts in protecting the nation. I figure if we all do the best that we can in the private sector protecting our organizations from this threat, it not only benefits our customers and shareholders, but it causes the bad guys to expend limited resources that might otherwise be used to go after our military people.

Girl, Unallocated

So the award for my current favorite Twitter handle to date goes to Girl, Unallocated. That’s the nom de cyber for a forensic examiner who prefers to stay in the shadows for now, but you should check out her blog. It’s a nice blend of forensics and humor and has been getting quite a bit of notice recently.


  1. Nice article - I often wonder have forensic newbies in class, who don't understand why the knowledge of concepts of timezones is important for an examiner. Now I can talk about a monster. Thanks.

  2. Eric, thanks for bringing up the BST issue. It's a common confusion in the US to think that the Brit operate automatically off of UTC just because of the location. (I am quite aware of BST from a different context: a missed plane flight in the UK because I did catch that BST went into effect a few hours before.)

  3. Also thanks for the mention of China and cyber-espionage.

    The following statement is so spot on:
    "...what ultimately counts is what the Chinese think about the utility of cyberwar rather than what we think about it."

    This is also applicable to some other countries. The Russians tend to have a far broader view of security than do Americans, preferring the broader emphases upon info security (in all kinds of context) over cyber-security. This can significantly affect their views of how to probes and such.

  4. Speaking from someone on the other side of the pond, US timezones can be even more confusing!

    When you have 4 different timezones, each with seemingly different summertime changes, it can get very confusing - especially as US CSPs/ISPs will output their data in local time format.

    This can of course be key when requesting IP information, as being as little as an hour out could potentially return incorrect subscribers details.

    If someone was in any doubt as to the correct timezone on the local machine at a given time, sites such as do a reasonable job (and it's free!)