Notifications
Clear all

Win7 Time Changes

18 Posts
5 Users
0 Likes
1,730 Views
(@cults14)
Posts: 367
Reputable Member
Topic starter
 

Hi there,hope someone can help

Internal examination of a Win7 Enterprise SP1 system (Central Time i.e. 6 hrs behind us in UK for the period in question), I have noticed a number of system time change events in System Event Log (ID 1), the Event Log covers 22nd to 30th May

Some of these are not even changes e.g.
to ‎2014‎-‎05‎-‎30T021610.251159900Z from ‎2014‎-‎05‎-‎30T021610.251159900Z.

Some are minute changes e.g.
to ‎2014‎-‎05‎-‎22T080341.680000000Z from ‎2014‎-‎05‎-‎22T080341.680739900Z.

While some are (more or less) complete hours e.g.
to ‎2014‎-‎05‎-‎23T063739.500000000Z from ‎2014‎-‎05‎-‎23T003740.676328800Z.

While yet others are seemingly random e.g.
to ‎2014‎-‎05‎-‎22T234650.500000000Z from ‎2014‎-‎05‎-‎22T140415.845506900Z.

I compared against the event log on my system (same OS) which has an irregular (per day) number of ID35 events, and all ID1 events are miniscule changes.

So I changed the timezone on my system and observed one new ID 1 event with to and from times with exactly the same values - no new 35 events.

Then I changed the timezone back again and saw similar behaviour

Then I moved the clock back by 6 hours and got this ID 1 event
to ‎2014‎-‎08‎-‎20T075826.000000000Z from ‎2014‎-‎08‎-‎20T135832.541140900Z.
(am surprised by the lower number of seconds in the "to" section, but it matches the above example)

Followed immediately by this ID 1 event
to ‎2014‎-‎08‎-‎20T075826.000000000Z from ‎2014‎-‎08‎-‎20T075826.000000000Z.

I'm especially confused about three entries on 30th May (significant digits reduced for ease of display)
Local Time________Description
30-May-14 190745 "to ‎2014‎-‎05‎-‎30T180745.50Z from ‎2014‎-‎05‎-‎30T120746.69Z"
30-May-14 130413 "to ‎2014‎-‎05‎-‎30T120412.50Z from ‎2014‎-‎05‎-‎30T083757.12Z"
30-May-14 093729 "to ‎2014‎-‎05‎-‎30T083724.50Z from ‎2014‎-‎05‎-‎30T023724.92Z"

i.e. forward by about six hours, forward by about 3.5 hours, forward by about 6 hours. And there seems to be some kind of continuity from the "to" value of one event to the "from" value of the next one.

As these events don't mirror the results of the tests I did on my own system I wonder if a BIOS change would make any difference but our systems are locked down so he can't have done this (unless he SE'd the password from IT in which case we wouldn't know about it)

There is no evidence of the datetime.cpl having been accessed so I'm wondering how one can explain these types of events?

Cheers

 
Posted : 20/08/2014 8:58 pm
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

There is no evidence of the datetime.cpl having been accessed so I'm wondering how one can explain these types of events?

I would suggest that the event records alone are out of context; as such, what did you see happening "near" these events in a timeline of activity from that system?

 
Posted : 27/08/2014 3:40 pm
(@twjolson)
Posts: 417
Honorable Member
 

So, if datetime.cpl wasn't used, what about NTP updating? Besides the BIOS, that is the only other source of time updates that I can think of. Though, I have no idea what kinds of artifacts that will create.

 
Posted : 27/08/2014 6:13 pm
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

I'm a firm believer in testing hypotheses, but in this case, I'm not sure that there's enough context around what's happening to see that the testing being done applies to the situation.

 
Posted : 27/08/2014 6:54 pm
(@cults14)
Posts: 367
Reputable Member
Topic starter
 

Sorry for the delay folks, been on 4-day chill holiday )

I would suggest that the event records alone are out of context; as such, what did you see happening "near" these events in a timeline of activity from that system?

If you mean applications access (UserAssist, Prefetch), there's nothing around that time - I mean, nothing (allowing for timezone differences).

There is a fair number (thousands or hundreds) of Security Events immediately prior to each ID 1 (mostly 5447, I'm not familiar with these and the sheer number of them seems daunting as a brief look suggests there are many different descriptions) and some PnP events from EVTX-DriverFramework and some System evvents

The timsetamp on the earliest of these three time events apparently took place some hours after the last apparent application access by the user (gained from UserAssist, PreFetch and others)

 
Posted : 28/08/2014 9:28 pm
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

If you mean applications access (UserAssist, Prefetch), there's nothing around that time - I mean, nothing (allowing for timezone differences).

I was referring to everything…there's a lot that goes on on Windows systems, even without user interaction. Some of this might help explain what's going on.

There is a fair number (thousands or hundreds) of Security Events immediately prior to each ID 1 (mostly 5447, I'm not familiar with these…

Oh, that's easy enough…

http//www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=5447

…and the sheer number of them seems daunting…

That's not a reason to discount them…they may actually be the reason for what you're seeing…

 
Posted : 28/08/2014 11:03 pm
(@cults14)
Posts: 367
Reputable Member
Topic starter
 

I was referring to everything…there's a lot that goes on on Windows systems, even without user interaction. Some of this might help explain what's going on.

Yes I know a lot of stuff happens (not that I know much of it) - but time changes? 3 in such a short space of time?

Way back at the start of this investigation I was looking for evidence of exfiltrated data. So I parsed a bunch of stuff using RegRipper and TZWorks tools and put the "interesting" stuff into a timeline (not using Plaso, I've tried it once and couldn't get it to work as I expected/wanted, I will return to it). Artefacts included basic system info, application usage, file access, USB installation/usage, event logs

It was in this timeline that I noticed some timestamps that I couldn't reconcile, including the ones mentioned in this thread. There are nearly 34,000 lines in the timeline (nearly 31,000 security events), most of the time change events I'm concerned with have a System Event ID 7036 happenining within the same second (sometimes 2 events, one before one after), although not all of the time change events show this. The descriptions for 7036 vary
The Multimedia Class Scheduler service entered the stopped state.
The Application Experience service entered the stopped state.
The TCP/IP NetBIOS Helper service entered the stopped state.

That's not a reason to discount them…they may actually be the reason for what you're seeing…

Didn't say it was. However, I'm afraid my experience doesn't put me in a place of knowing what might be important and why in each event in relation to this thread (i.e. normal and abnormnal), hence daunting.
I'm not sure what to make of your reply, could mean either (a) you've come across this before and are encouraging me to go look in the right place, or (b) you're just saying "they may be the reason for what you're seeing". If I knew what might be key (e.g. ChangeType = Add or Delete, or Name(s) to look out for I guess that may help.

Re NTP, there are 8 events, 1 on May 21st, 6 on May 22nd, 1 on May 23rd. In order of oldest first, IDs are 35, 37, 25, 37, 35, 37, 35, 37.
35 = The time service is now synchronizing the system time with the time source…………….
37 = The time provider NtpClient is currently receiving valid time data from……………..

The dots represent DC names and details, there are two different DCs, each "pair" of 35/37 doesn't necessarily reference the same DC

I have been told that the user was in China for at least part of the period were discussing (although no exact details are available at the mo) but AFAIK W7 laptops don't change their timezones automatically?

PS In the midst of testing some of this stuff I've been changing my own timezone via the Date/Time Control Panel. But parsing UserAssist and PreFetch doesn't show any use of any .cpl which I'm sure used to happen?

PPS After further testing, changing timezones seems to leave events in System.evtx which record a change in time which is no change at all i.e. from and to times are exactly the same. Does this resonate with anyone else?

 
Posted : 29/08/2014 8:09 pm
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

Yes I know a lot of stuff happens (not that I know much of it) - but time changes? 3 in such a short space of time?

Developing a timeline is about providing context to what's going on.

Way back at the start of this investigation I was looking for evidence of exfiltrated data. So I parsed a bunch of stuff using RegRipper and TZWorks tools and put the "interesting" stuff into a timeline (not using Plaso, I've tried it once and couldn't get it to work as I expected/wanted, I will return to it). Artefacts included basic system info, application usage, file access, USB installation/usage, event logs

Interesting…there are a number of ways to perform data exfil, but few (if any) of them actually leave artifacts that you're going to find in an image of the system from which the data was exfil'd.

It was in this timeline that I noticed some timestamps that I couldn't reconcile, including the ones mentioned in this thread. There are nearly 34,000 lines in the timeline (nearly 31,000 security events), most of the time change events I'm concerned with have a System Event ID 7036 happenining within the same second (sometimes 2 events, one before one after), although not all of the time change events show this. The descriptions for 7036 vary
The Multimedia Class Scheduler service entered the stopped state.
The Application Experience service entered the stopped state.
The TCP/IP NetBIOS Helper service entered the stopped state.

Apparently, this "System Event ID 7036" Event Log record you're referring to is actually an event record with source "Service Control Manager" and ID 7036. As you can see, the descriptions don't particularly vary, per se…they're Windows services being stopped. In most cases, this is pretty normal.

That's not a reason to discount them…they may actually be the reason for what you're seeing…

Didn't say it was. However, I'm afraid my experience doesn't put me in a place of knowing what might be important and why in each event in relation to this thread (i.e. normal and abnormnal), hence daunting.

This is why many of us research and ask questions.

I'm not sure what to make of your reply, could mean either (a) you've come across this before and are encouraging me to go look in the right place, or (b) you're just saying "they may be the reason for what you're seeing". If I knew what might be key (e.g. ChangeType = Add or Delete, or Name(s) to look out for I guess that may help.

Well, it's mostly (b), but then again, whenever I've been interested in data exfiltration, I haven't focused on system time change events.

Re NTP, there are 8 events, 1 on May 21st, 6 on May 22nd, 1 on May 23rd. In order of oldest first, IDs are 35, 37, 25, 37, 35, 37, 35, 37.
35 = The time service is now synchronizing the system time with the time source…………….
37 = The time provider NtpClient is currently receiving valid time data from……………..

The dots represent DC names and details, there are two different DCs, each "pair" of 35/37 doesn't necessarily reference the same DC

I have been told that the user was in China for at least part of the period were discussing (although no exact details are available at the mo) but AFAIK W7 laptops don't change their timezones automatically?

All of this is interesting, but again, it really needs context. Saying that there's 1 NTP event on May 21st doesn't really tell me anything.

 
Posted : 29/08/2014 9:30 pm
(@athulin)
Posts: 1156
Noble Member
 

Yes I know a lot of stuff happens (not that I know much of it) - but time changes? 3 in such a short space of time?

What frame of reference are you evaluating that within?

Best way to get one is often to set up a 'normal' test client, let it run for a suitable time, and then document its behaviour. In this case, where it contacts a time server, I'd add a network sniffer to pick up all communication with that server. That means one time line for communication with the time server, and one time line based on client logs.

That should answer the question how often the time server is polled (there's a registry setting somewhere, but it doesn't seem to be active in all situations), under what circumstances the system log entries are produced (always? only sometimes?), and what the typical event log entries will be produced for 'normal'communication. If I can identify those, I can filter those away as 'likely to be uninteresting', and anything that doesn't match that fitler is either hitherto unobserved behaviour, or something that is not produced by default behaviour. And that's what I'd concentrate on to start with.

For example, when I check my own work station, I find that just about every NTP-change that happens in the background comes in threes, one of which is typically a NULL change, i.e. the log from/to times appear to be the same. But as this was not a controlled test – I may have changed relevant configuration – it is only suggestive.
(And to add to your PPS question, when I just modify the time zone and nothing else, I also see a single NULL time change. But as I said, I can't be sure my platform is the same as yours, so that may not provide any relevant information.)

The descriptions for 7036 vary
The Multimedia Class Scheduler service entered the stopped state.
The Application Experience service entered the stopped state.
The TCP/IP NetBIOS Helper service entered the stopped state.

That's probably because you're not looking at the most significant piece of information, namely the event source. The event ID is – as far as I know – subordinate to the event source (and should be assumed to be relevant only for a particular event source release version, unless you can prove that it is stable, for example by checking the manifest or other relevant component). If event ids are unique for multiple event sources (which seems to happen for some Windows components), that's coincidence or policy decision, not a technical requirement.

Re NTP, there are 8 events, 1 on May 21st, 6 on May 22nd, 1 on May 23rd. In order of oldest first, IDs are 35, 37, 25, 37, 35, 37, 35, 37.
35 = The time service is now synchronizing the system time with the time source…………….
37 = The time provider NtpClient is currently receiving valid time data from……………..

The dots represent DC names and details, there are two different DCs, each "pair" of 35/37 doesn't necessarily reference the same DC

If 'normal' behaviour is to get time from corporate DCs or border routers or … , a change in source is likely to indicate a change in location, or a failure or change of normal infrastructure, and possibly fallback to backup servers.

The frequency of the NTP events need to be compared with what is normal, either for the operating system in general, or the corporate computer platform. As far as I know, noone has published any details for W7. But without that baseline to compare with, this is just data points.

I have been told that the user was in China for at least part of the period were discussing (although no exact details are available at the mo) but AFAIK W7 laptops don't change their timezones automatically?

You're not really interested in that question, are you? You're interested in if this particular laptop does so. As far as I know, W7 doesn't, but I'm not sure just to what extent the presence of a GPS receiver or other location service (say, in browsers or browser plug-ins) may change that. Nor do I know much about platform utilities (the 'bloatware' that is preinstalld on most laptops – some do contain utilities for maintaining different types of wired or wireless connections, and sometimes allows for switching location based on static configuration - e.g. 'when I use this wireless network, I'm in Copenhagen'or '… in timezone CET' or …). Or, for that matter what an IT department may have added or what a PowerUser may have installed himself. Technically, it could be done, but … discovering if it actually does requires knowledge of the particular platform, and the particular instance of it that you are examining. If you don't have it, ask someone who does. As this seems to be a corporate case, you're likely to have a helpdesk or IT support to refer to, and probably also a master list of what software is supposed to be installed on this particular system. That could help in narrowing things down.

 
Posted : 30/08/2014 1:18 pm
(@cults14)
Posts: 367
Reputable Member
Topic starter
 

Developing a timeline is about providing context to what's going on.

Agreed

Interesting…there are a number of ways to perform data exfil, but few (if any) of them actually leave artifacts that you're going to find in an image of the system from which the data was exfil'd.

Also interesting. Maybe I've not used the correct terminology - I'm tasked with establishing whether business data files were accessed on external media (i.e. not the internal drive). So, those sources of information are surely a reasonable place to go? Plus internet browsers? Amnd corporate email? I don't have any of the user's external devices, one thing we try to do is tie access to specific devices and refer to them in any correspondence

In most cases, this is pretty normal.

Thanks - would be interested in knowing where to go to find out those cases which aren't normal?

This is why many of us research and ask questions.

Which is what I'm doing here………….

I haven't focused on system time change events.

Just to recap, I just noticed some events in passing which I didn't understand, wanted to understand, ran some tests, couldn't marry up what I was seeing, did a little digging, then posted a question on here. Doesn't affect whether and what was accessed, maybe casts some doubt on when if it was possible to show a pattern of time changing.

All of this is interesting, but again, it really needs context. Saying that there's 1 NTP event on May 21st doesn't really tell me anything.

Is there no context arising from the fact that there were no NTP events on or even around 30th May which is the date I mentioned in the original post? Just asking.

I'd add a network sniffer

Sorry, that would incur the wrath of the Network group (

Best way to get one is often to set up a 'normal' test client

Best I can do in my environment just now is to monitor my own system. It seems to log an ID 37 followed about 15 seconds later by an ID 35 whenever it boots up or is re-started. Setting up a VM is on the to-do list though

If 'normal' behaviour is to get time from corporate DCs……….

Yes it is. Our DCs are prefixed with EP or WP representing East or West data centres, all in this case are WP. When our "suspect" was in China he wouldn't have had access to DCs.

In terms of your other comments Athulin, this was a power user with Admin privileges on his laptop, he needed to be able to specific software on client sites and to download updates or new versions. AFAIK there was no GPS receiver, can't tell at the mo whether he had anything in browser - he used Chrome which I'm not familiar with (standard is IE).

Thanks for all your help guys

 
Posted : 01/09/2014 1:56 pm
Page 1 / 2
Share: