NTP Server & Time Synchronization Logs

NetworkSystem ConfigurationSIEM / Log Aggregator

Location

NTP server logs (/var/log/ntpd.log, chronyd logs, Windows W32Time event logs)

Description

Network Time Protocol server and client logs recording time synchronization events, stratum changes, peer status, clock drift corrections, and authentication failures between NTP clients and servers.

Forensic Value

NTP logs validate the accuracy of timestamps across all other forensic artifacts. Clock drift records help determine if system times were accurate during the investigation period. NTP authentication failures may indicate time-based attacks or unauthorized NTP sources. Sudden time changes in NTP logs can indicate attacker attempts to manipulate system clocks to undermine forensic timelines or bypass time-based security controls like Kerberos ticket validation.

Tools Required

ntpqchronycjournalctlgrepSIEM (Splunk, Elastic)

Collection Commands

ntpq

ntpq -p -w > ntp_peers.txt && ntpstat >> ntp_peers.txt && ntpq -c rl >> ntp_peers.txt

chronyc

chronyc tracking > chrony_status.txt && chronyc sources -v >> chrony_status.txt && chronyc activity >> chrony_status.txt

journalctl

journalctl -u chronyd --since "7 days ago" --no-pager > ntp_journal.txt && journalctl -u systemd-timesyncd --since "7 days ago" --no-pager >> ntp_journal.txt

MITRE ATT&CK Techniques

T1070.006T1557T1499T1562.001

Acquisition Methods

FTK Imager Full Disk Image

windows — physical

EnCase Forensic Full Disk Image

windows — physical

dd / dc3dd Raw Disk Image

windows — physical

Guymager Full Disk Image

windows — physical

FTK Imager Logical Image (AD1)

windows — logical