Python Forensics – Network Time Protocol

The most widely used time synchronization protocol is the Network Time Protocol (NTP), which has become widely accepted as a convention.

NTP uses the User Datagram Protocol (UDP), which uses the shortest possible time for data packet communication between a server and a client that wishes to synchronize with a given time source.

The characteristics of the Network Time Protocol are as follows

• The default server port is 123.

• The protocol consists of a number of accessible time servers synchronized with national laboratories.

• The NTP protocol standard is managed by the IETF. The proposed standard is RFC 5905, titled “Network Time Protocol Version 4: Protocol and Algorithm Specification” [NTP RFC].

• Operating systems, programs, and applications use NTP to synchronize time in an appropriate manner.

In this chapter, we’ll focus on using NTP in Python, which is made possible by the third-party ntplib library. This library effectively handles the heavy lifting by comparing the results with my local system clock.

Installing the NTP Library

ntplib can be downloaded from https://pypi.python.org/pypi/ntplib/ , as shown below.

This library provides a simple interface to NTP servers with methods that interpret NTP protocol fields. This facilitates access to other key values, such as leap seconds.

The following Python program helps understand the use of NTP.

import ntplib
import time

NIST = 'nist1-macon.macon.ga.us'
ntp = ntplib.NTPClient()
ntpResponse = ntp.request(NIST)

if (ntpResponse):
now = time.time()
diff = now-ntpResponse.tx_time
print diff;

The above program will produce the following output.

In the above program, time differences are calculated. These calculations can be helpful in forensic investigations. The analysis of network data obtained is fundamentally different from that of data found on a hard drive.

The difference in time zones, or obtaining accurate time zones, can aid in gathering evidence to capture information via this protocol.