Time is an important aspect of Network Security Monitoring. If you don't pay close attention to the time shown in your evidence, and recognize what it means, it's possible you could misinterpret the values you see.
My students and I encountered this issue in TCP/IP Weapons School at Black Hat this week. Let's look at the first ICMP packet in one of our labs.
I'm going to show the output using the Hd tool and then identify and decode the field that depicts time.
In the following output, 2d 0c 65 49 occupies the part of the packet where Libpcap has added a timestamp.
Hd output:
$ hd icmp.sample.pcap
00000000 d4 c3 b2 a1 02 00 04 00 00 00 00 00 00 00 00 00 |................|
00000010 ea 05 00 00 01 00 00 00 2d 0c 65 49 5f bf 0c 00 |........-.eI_...|
00000020 4a 00 00 00 4a 00 00 00 00 0c 29 82 11 33 00 50 |J...J.....)..3.P|
00000030 56 c0 00 01 08 00 45 00 00 3c 02 77 00 00 80 01 |V.....E..<.w....|
00000040 ea f1 c0 a8 e6 01 c0 a8 e6 05 08 00 43 5c 07 00 |............C\..|
00000050 03 00 61 62 63 64 65 66 67 68 69 6a 6b 6c 6d 6e |..abcdefghijklmn|
00000060 6f 70 71 72 73 74 75 76 77 61 62 63 64 65 66 67 |opqrstuvwabcdefg|
00000070 68 69 |hi|
00000072
Tpo convert 2d 0c 65 49 to a time, we have to swap the bytes, so becomes 0x49650c2d, or 1231359021 in decimal. 1231359021 is a Unix timestamp that we can convert with the -r option found in the FreeBSD version of the date command.
First let me show the date on this system so you can see the timezone of the FreeBSD system, and then I'll convert the seconds into a human readable time.
$ date
Wed Jul 28 00:11:23 EDT 2010
$ date -r 1231359021
Wed Jan 7 15:10:21 EST 2009
So, this ICMP packet has a timestamp of Wed Jan 7 15:10:21 EST 2009. Note that the date command produces a time in EST and not EDT. 15:10:21 EST becomes 16:10:21 EDT. I would have preferred seeing the date output show EDT since that is the time zone on the system in question, but I can understand the output. That seems simple enough, right?
Let's see what Tcpdump says about this packet. First I run the date command to remind us where we are running Tcpdump.
FreeBSD Tcpdump:
$ date
Wed Jul 28 00:11:23 EDT 2010
$ tcpdump -h
tcpdump version 3.9.8
libpcap version 0.9.8
$ tcpdump -n -tttt -r icmp.sample.pcap
2009-01-07 16:10:21.835423 IP 192.168.230.1 > 192.168.230.5:
ICMP echo request, id 1792, seq 768, length 40
As we expected, this packet has a timestamp of 16:10:21 (ignore the fractions of a second), and since the time zone is EDT it matches what we expect.
Let's see what a tool like Tshark says.
FreeBSD Tshark:
$ tshark -v
TShark 1.0.7
...edited...
Compiled with GLib 1.2.10, with libpcap 0.9.8, with libz 1.2.3, without POSIX
capabilities, without libpcre, without SMI, without ADNS, without Lua, without
GnuTLS, without Gcrypt, with Heimdal Kerberos.
NOTE: this build doesn't support the "matches" operator for Wireshark filter
syntax.
Running on FreeBSD 7.2-RELEASE-p7, with libpcap version 0.9.8.
Built using gcc 4.2.1 20070719 [FreeBSD].
$ tshark -n -t ad -r icmp.sample.pcap
1 2009-01-07 15:10:21.835423 192.168.230.1 -> 192.168.230.5
ICMP Echo (ping) request
What? Why does it show 15:10:21? That's the result for EST, not EDT, which is the time zone of the FreeBSD system.
Let's see if a Linux system in EDT behaves the same way.
$ date
Wed Jul 28 00:44:54 EDT 2010
$ tcpdump -V
tcpdump version 4.0.0
libpcap version 1.0.0
$ tcpdump -n -tttt -r icmp.sample.pcap
2009-01-07 16:10:21.835423 IP 192.168.230.1 > 192.168.230.5:
ICMP echo request, id 1792, seq 768, length 40
$ tshark -v
TShark 1.2.7
...edited...
Compiled with GLib 2.24.0, with libpcap 1.0.0, with libz 1.2.3.3, with POSIX
capabilities (Linux), with libpcre 7.8, with SMI 0.4.8, with c-ares 1.7.0, with
Lua 5.1, with GnuTLS 2.8.5, with Gcrypt 1.4.4, with MIT Kerberos, with GeoIP.
Running on Linux 2.6.32-23-generic, with libpcap version 1.0.0, GnuTLS 2.8.5,
Gcrypt 1.4.4.
Built using gcc 4.4.3.
$ tshark -n -t ad -r icmp.sample.pcap
1 2009-01-07 15:10:21.835423 192.168.230.1 192.168.230.5
ICMP Echo (ping) request
Again, we see Tcpdump correctly honor the local time zone (EDT) and display the timestamp as 16:10:21, whereas Tshark shows the timestamp as EST or 15:10:21.
I am really disappointed by this Tshark behavior. Incidentally, you get the same results from any tool in the Wireshark suite, such as Wireshark itself, capinfos, etc.
Does anyone know why Tshark and the like don't really honor the local time zone, and instead use Standard Time instead of recognizing Daylight Savings Time?
Amazon.com just published by two star review of Digital Forensics for Network, Internet, and Cloud Computing by Terrence V. Lillard and company. From the review:
Amazon.com just published my three star review of Virtualization and Forensics by Dianne Barrett and Gregory Kipper. From the review:
Amazon.com just published my two star review of Digital Triage Forensics: Processing the Digital Crime Scene by Stephen Pearson and Richard Watson. From the review:
It's clear to me that Dell needs a Product Security Incident Response Team, or PSIRT. Their response to the malware shipping with R410 replacement motherboards is not what I would like to see from a company of their size and stature.
Amazon.com just posted my three star review of The Watchman by Jonathan Littman. From the review:
Amazon.com just posted my four star review of The Fugitive Game by Jonathan Littman. From the review:
Amazon.com just posted my four star review of At Large by David H. Freedman and Charles C. Mann. From the review:
Amazon.com just posted my five star review of The Cuckoo's Egg by Cliff Stoll. From the review:
Amazon.com just posted my four star review of Code Version 2.0 by Lawrence Lessig. From the review:
Amazon.com just posted my four star review of Crypto by Steven Levy. From the review:
Amazon.com just posted my two star review of The Illusion of Due Diligence by Jeffrey Bardin. From the review:
If you've read the blog for a while you know I promote threat-centric security in addition to vulnerability-centric security. I think both approaches are needed, but I find a lot of security shops ignore threat-centric approaches. But in this brief post I'd like to talk about one skill you're likely to need in a threat-centric team.
Last month I attended my first Workshop on the Economics of Information Security (WEIS 2010) at Harvard. It was cool to visit and it reminded me that I probably spent too much time playing ice hockey and learning martial arts during graduate school, and not enough time taking advantage of the "Hah-vahd experience." Oh well, as Mr Shaw said, "Youth is wasted on the young."
Last week I spoke at the third SANS WhatWorks Summit in Forensics and Incident Response in DC, organized and led by Rob Lee. As usual, Rob did a wonderful job bringing together interesting speakers and timely topics. I thought my presentation on "CIRT-level Response to Advanced Persistent Threat" went well and I enjoyed participating on the "APT Panel Discussion." 
Finally, I'd like to remind everyone that I will begin planning my second SANS WhatWorks in Incident Detection and Log Management Summit, which will be held again in DC, on 8-9 December 2010. If you liked last year's Summit, you will love this new one. I'll have more to say as we get closer to registration.
I know some of us worry that the advent of the "cloud" will spell the end of Network Security Monitoring and related network-centric visibility and instrumentation measures. I have a proposal for any network forensics vendors reading this blog: get in the cloud! 
I know some of you pay attention to what Gartner says, or more probably, your management does. I found this new report How to Build a Computer Security Incident Response Team by Jeffrey Wheatman, Rob McMillan, and Andrew Walls helpful if you need external validation from a source your management is likely to recognize. You need a Gartner account to breach the paywall.
My article Understanding the Advanced Persistent Threat provides an overview of APT. It's the cover story in the July 2010 Information Security Magazine. From the article:
Everyone's been talking about cyberwar this week, thanks in part to the Economist coverage. Many of the comments on my posts and elsewhere discuss the need for definitions. 
I'd like to briefly comment on a few ideas that appeared on lists I read.
Today the Ponemon Institute announced results of a survey they conducted titled Growing Risk of Advanced Threats: Study of IT Practitioners in the United States. Unfortunately, this survey looks like it is mainly the blind asking the blind to describe a threat neither really understands. For example, the survey states:
Does anyone remember this story from April 2009?
Bruce Lee, and before him Tsukahara Bokuden understood that "fighting without fighting" is the highest form of war. 
Volume 13 Number 1 of the Cisco IP Journal features a fascinating DNS troubleshooting article titled "Rolling Over DNSSEC Keys" by George Michaelson, APNIC, Patrick Wallstrõm, .SE, Roy Arends, Nominet, and Geoff Huston, APNIC. It's one of the best articles I've ever read in IPJ. You should subscribe (it's free) if you like this blog.
The article explains what happens next. 
Volume 13 Issue 2 of IATAC's IA Newsletter features an article titled Apples and Oranges: Operating and Defending the Global Information Grid by Dr Robert F Mills, Maj Michael Birdwell, and Maj Kevin Beeker. The article nicely argues for refocusing DoD's "NETOPS" and "CND" missions, where the former is defined currently as
At the FIRST conference last month, Dave Aitel said something to the effect that DEP and ASLR are the only two noteworthy technologies produced by Microsoft since starting their security initiative. Forgive me Dave if I messed that up, and feel free to respond! 
