by Oleg Skulkin & Igor Mikhaylov
Recently we received a good question from one of our DFIR mates: “How can one detect backdating of the system clock forensicating macOS?”. This is a really good question, at least for us, so we decided to research it. If we are talking about Windows system clock backdating there are a lot of information to help, for example, this SANS white paper by Xiaoxi Fan, but there is nothing about macOS.
Let’s start from macOS timestamps as they are very interesting and have a lot of evidentiary value. Let’s start from running mdls command on a sample file:
We must note that it’s not a simple file, it’s a Microsoft Word file, so it has even more timestamps than a regular file. If you start from the top of the figure, you may have noticed doc/docx-typical timestamps: content creation (kMDItemContentCreationDate and kMDItemContentCreationDate_Ranking
View original post 772 more words