QuoSec blog

eruptions from it-sec ops

Jun 22, 2020 - 1 minute read - Presentations

Lecture: Forensics in the context of Incident Response

Here are supporting slides for an introductory lecture on “Forensics in the context of Incident Response", it is aimed at students who already have basic security knowledge. The (remote) lecture took place at the Friedrich-Alexander-Universität Erlangen-Nürnberg (FAU) on 2020-06-17. QuoSec_Forensics.pdf

Jun 2, 2020 - 18 minute read - OS timestamps

Testing updates of POSIX timestamps

Our last blog post discussed how POSIX specifies timestamp updates operated by interfaces and utilities, and we detailed the impact of common operations (a file being written to shall get updated MC). This post explores POSIX timestamps specification more deeply and demonstrates how to design and implement compliance tests. Details and implementation target Linux, OpenBSD and FreeBSD. Code and documentation can be found here: https://github.com/QuoSecGmbH/os_timestamps/ 1 - Scope We will solely look into timestamps specified by POSIX: M (last data modification), A (last data access) and C (last file status change).

Dec 3, 2019 - 14 minute read - OS timestamps

MAC(B) Timestamps across POSIX implementations (Linux, OpenBSD, FreeBSD)

This blog post was first published in December 2019 on behalf of QuoScient on medium.com File timestamps are crucial forensics artifacts when investigating a machine during a security incident, they are regularly modified and can provide both primitive information (when the file was last modified) and inferred information (when the file was probably moved there from another file system). The “Windows Time Rules” from SANS [1] is an excellent resource on which MACB timestamp is updated by each common operation (file creation, file copy…) on Windows, and it did not have an equivalent in the Unix world.