Blog Posts

Bash History file is very useful for investigation purposes.
Location: /Users/<username>/.bash_history
- Usually it stores upto last 500 Bash Command but sometimes in live response/collection - you may get little more.

It's a hidden file
It's only get created if user use Terminal App
By default - There is no timestamp but you can add one please see this post:

http://www.4n6world.com/blog/how-to-add-timestamp-to-bash-history-in-mac

Antedating

4/5/2018

Antedating: Creating a document with incorrect time stamps.
Investigation:

Analyzing the metadata of the document to get the baseline information is the first step.
Secondly, perform a comparative analysis of the metadata of all the documents under the investigation.
One might get some important information from the source machine. Analyze the event logs if it's a windows machine.
Look for the email headers if the document is shared via email.
Use basic common sense in analysis by looking and the OS and the release date of the extension.

How to antedate a document?

Use Software to change the metadata.
Changing the computer time before creating an electronic document is another method of antedating, as the metadata for the newly created electronic file will be based on the incorrect setting of the system.

Readings:
http://www.cse.scu.edu/~tschwarz/COEN252_13/Papers/antedating.pdf

Forward>>

InvesTigations & Analysis

MacOs Keychains

Bash History File

Antedating

Archives

Categories