Mac Forensics – Did he roll the clock back?

A week ago I was contacted by a gentleman on a mac forensics issue.   Here is the scenario.  His son is a college student in a liberal arts degree.  The student is not particularly tech savy.  He had an A average in class participation and a B average for work to date in the class.  The student had a paper to turn in, wrote it, attached it and emailed it to his professor.  The grade that came back was an F for an incomplete paper.  He had accidently attached a previous version to the email for turn in.  Upon telling the instructor the accusation was made that he rolled back the clock on his laptop to make the finished paper.  The father wants to prove his son did not roll back the clock.  The school is supposedly open to review of the grade if proof can be presented.

Here is what I put together for the father.  It is a pair of automator actions.  Read on to see what I did.

We use the inode information of the number itself and the date of creation.  Inodes are sequential for that particular file system installation.  Meaning per logical drive.  So no matter what the system clock is set to the inodes will only increase.  If a clock were rolled back we would have a creation date-time out of sequence compared to the inode number sequence within the file system.  So how to make a tool the father can use to make his case to the school without him having to have details system knowledge.

*UPDATE NOTE* If you are using these on OSX Tiger, change the %SB to %Sc on the stat lines.

(Download the Automators Here)

Automator One:

We make an automator that will simply pull the inode number, inode birthdate and filename and put it into a new text document.  Then the father can just double click the automator application, browse to the two versions of the paper files and save the details.

You can see the automator below.  But we use the stat command with a custom output format to print the inode#, inode birthdate and filename.  Followed by an awk statement to format it to be friendly as it goes into the new text document.

1-DetermineFileDetails
Uploaded with plasq‘s Skitch!

Automator Two:

This automator is a workflow instead of an application.  This is for one good reason. We leverage spotlight searching within automator to find all the files with a creation date of the desired date.  I did not find a way to prompt for that information so I had to let the father edit that one step of the workflow before running it.  All those file paths get passed as an argument list to a stat command loop.  We use the same custom format as in Automator One except we add commas to make it a comma delineated output.  That output we send through the sort command to get all the entries in order of the inode number.  Lastly that sorted output goes straight into a file in csv format on the desktop we can open and browse in our preferred spreadsheet.  Numbers, excel whatever.  Now we just look for the two paper files inode numbers and look at them relative to the files before and after them.  If the files were created in fact on the date the student asserts both the inode number and the date-time should be in sequence relative to the files around them.

2-DetermineFileCreationOrder
Uploaded with plasq‘s Skitch!

At this point I think we have given a decent tool to the father to make his case. If he finds everything in sequence with no odd jump in inode number compared to date-time then he has a strong argument coupled with the academic performance to date of his son that the professors accusation is likely unfounded.  We can only wish him the best of luck from here.
Share

2 Replies to “Mac Forensics – Did he roll the clock back?”

  1. Nice Job…It goes to show that you should double/triple check you email and attachments before you send them off!! I am sure the student learned his lesson! Black Bag Forensics has a tool that will pull all available metadata as well that includes the iNode number.

  2. Nice Job…It goes to show that you should double/triple check you email and attachments before you send them off!! I am sure the student learned his lesson! Black Bag Forensics has a tool that will pull all available metadata as well that includes the iNode number.

Comments are closed.