Default System Time Zone (Linux)

Author Name
Hal Pomeranz


Artifact Name
Linux default system time zone


Operating System
Linux


Description
f you’re dealing with a live system, the time zone can be observed in
the output of the “date” command:


$ date
Sat May 28 05:07:15 PDT 2011


Look immediately after the time stamp– in this case, the system time
zone is “PDT”.


When investigating a system image, there are two places where the the
system time zone is generally recorded. The first is a configuration
file under /etc such as /etc/timezone on Ubuntu (Debian) Linux or
/etc/sysconfig/clock on Red Had Linux (and derivatives like Fedora and
CentOS). Here’s a sample /etc/sysconfig/clock file:


# The ZONE parameter is only evaluated by system-config-date.
# The timezone of the system is defined by the contents of
/etc/localtime.
ZONE=”America/Los_Angeles”
UTC=true
ARC=false


The “ZONE” parameter describes the time zone. It is common for Linux
systems to have the administrator configure their time zone by
choosing a well-known city in the given time zone. In this case,
“America/Los_Angeles” is synonymous with the US Pacific time zone, aka
PDT.


Note the comment at the top of the file. The reason the data in these
configuration files is somewhat untrustworthy is that the applications
on a Linux system generally refer to /etc/localtime for time zone
configuration information. This file need not necessarily match the
setting in the configuration files described above.


The /etc/localtime file itself is in a special binary format that’s
compiled from a text-based configuration file. If you’re doing your
investigation from a Linux system, you can use the “zdump” command to
output the current date in the time zone described by /etc/localtime:


$ zdump /etc/localtime

/etc/localtime Sat May 28 05:16:28 2011 PDT


Again, look immediately after the time stamp for the time zone name.
If you don’t have access to the zdump command for whatever reason, the
analyst can look for matching files in the system time zone directory
under /usr/share/zoneinfo. First compute the MD5 checksum of
/etc/localtime and then look for files matching this checksum under
/usr/share/zoneinfo. Here’s some sample commands for doing this with
the Linux command shell:


$ md5sum /etc/localtime
685e6cae6f7d63e690bf35b955ff4afb /etc/localtime


$ find /usr/share/zoneinfo -type f | xargs md5sum | grep
685e6cae6f7d63e690bf35b955ff4afb
685e6cae6f7d63e690bf35b955ff4afb


/usr/share/zoneinfo/posix/America/Los_Angeles
685e6cae6f7d63e690bf35b955ff4afb /usr/share/zoneinfo/posix/US/Pacific
685e6cae6f7d63e690bf35b955ff4afb


/usr/share/zoneinfo/America/Los_Angeles
685e6cae6f7d63e690bf35b955ff4afb /usr/share/zoneinfo/US/Pacific


It’s not uncommon for there to be several matching files under
/usr/share/zoneinfo. Typically these files are links to one another.


In this case the files under the “posix” directory are linked to each
other, and the other two copies are also linked to each other, but all
describe the same time zone.


File Locations
/etc/localtime
/usr/share/zoneinfo


Forensic Programs of Use
zdump
find, md5sum, grep



轉自 http://forensicartifacts.com/2011/05/default-system-time-zone-linux/

0 意見: