Re: Questions about PC clock operations
- From: Jim Mellander <jmellander@xxxxxxx>
- Date: Wed, 30 Aug 2006 10:12:13 -0700
As Scott indicates, pointing your systems to one or more NTP servers is
the way to go. NTP servers' get their time (either directly or
indirectly) from a stable source and use advanced algorithms to correct
for network latency and clock drift. Our experience is that NTP will,
for the most part, keep system clocks within several milliseconds of
true time, depending on the quality of your network connection.
When I've had to do forensics on a system which is not synchronized via
NTP, I look for a network event that is both logged by our sensors
(which have correct time), and by the system itself. The time
difference (strictly speaking only valid at that instant in time, and
typically with a 1 second resolution) allows determining of the true
time of logged events on the system (always, of course, subject to the
possibility of tampering, and minor clock skew).
Scott Ramsdell wrote:
Ricci,
In a corporate environment you would typically deploy a network time
protocol server (NTP). The NTP server either points to an external
reference NTP server, or to its own BIOS clock if corporate policy
prevents synching to an external time source.
Then, all *nix computers and all appliances, firewalls, IDS, routers,
etc. are pointed to the NTP server. You would also specify the NTP
server as the time source in the appropriate reg key on your Windows
domain controllers. Typically, the DC running the FSMO role for PDC
Emulator is also the NTP server.
When a Windows client logs in, it checks it's time against the DC, and
adjusts accordingly. You can find the exact way a Windows client
adjusts itself on the Microsoft site, I know it's there somewhere as I
had to do this years ago. The formula depends on how far out of
agreement the client is.
It is very important that all of your devices agree what time something
occurred on your network, and the NTP server is the way you do that.
Best Regards,
Scott Ramsdell
--
Jim Mellander
Incident Response Manager
Computer Protection Program
Lawrence Berkeley National Laboratory
(510) 486-7204
The reason you are having computer problems is:
Yeah, yo mama dresses you funny and you need a mouse to delete files.
---------------------------------------------------------------------------
This list is sponsored by: Norwich University
EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The NSA has designated Norwich University a center of Academic Excellence
in Information Security. Our program offers unparalleled Infosec management
education and the case study affords you unmatched consulting experience.
Using interactive e-Learning technology, you can earn this esteemed degree,
without disrupting your career or home life.
http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------
- References:
- RE: Questions about PC clock operations
- From: Scott Ramsdell
- RE: Questions about PC clock operations
- Prev by Date: Re: Procedure for staff leaving
- Next by Date: enumerating virtual hosts and websites for a particular IP address
- Previous by thread: RE: Questions about PC clock operations
- Next by thread: RE: Questions about PC clock operations
- Index(es):
Relevant Pages
|
