My understanding from the question posed was, how is it possible to "establish the accuracy of the system clock". And by that I understand it to mean can times and dates be relied upon as MAC genuine. The poster stated that they were working with an image of the drive, and would deem the answer I stated in previous post as a viable method

If suspect went onto MSN and accessed his /her Hotmail account, the time stamp is at the MSN Server. Therefore if the time stamp embedded in the HTML page in UNIX is given at say 1500, but the file creation on the suspects drive might be 1742. The time differential would be 2.42

It is an independent method to determine MAC times using an external time stamp.

If I've missed the plot completly, apologies to the board.  

Ashay,

No one said you "missed the plot", I was simply hoping that you'd give an explanation as to how the information you provided in your first post could be used. Thanks.

H. Carvey
"Windows Forensics and Incident Recovery"
www.windows-ir.com
windowsir.blogspot.com  

- Harlan, we are using FTK to examine the image

- Ashay, I can see your methodology I am not certain it is relevant in this case, but again not bad information to keep in mind.

I have done testing previously, (Harlan I think you may remember this.) where I found a document or documents where the modified date was previous to created date. from this is was able to determine if you created a file on a system in a time zone later than the one modifying it you were able to obtain results where the modified date was earlier than the creation date.

What I was looking for here, and have got some answers to was how, from an image was I able to determine beyond a reasonable doubt what the time was set at on the suspect machine. With that being said this does not mean the suspect may not have modified the date and/or time on the machine but hopefully they may have left traces of that in the documents themselves.

Hopefully this eliminates any confusion of the original question.

Thanks All  

While I appreciate Ashay's information, the more I think about it, the less I see it as definitive. It's clear that the base assumption of that methodology is putting trust in the validity of the mail server's system clock, and I see several issues with that.

...where I found a document or documents where the modified date was previous to created date.

Are you referring to this:
www.forensicfocus.com/...&t=449

If this is the research you're referring to, I'm wondering about the following statement:
...from this is was able to determine if you created a file on a system in a time zone later than the one modifying it you were able to obtain results where the modified date was earlier than the creation date.

That sounds definitive, whereas in the thread (above link...before sachin took the thread off topic... ) it seems to be a possibility. What I mean by that is that even though your testing was thorough for that instance, it's but one possibility.

Most importantly:
...and have got some answers to was how...

Would it be possible for you to share those answers with the forum?

Thanks,

H. Carvey
"Windows Forensics and Incident Recovery"
www.windows-ir.com
windowsir.blogspot.com  

Harlan, the 'answers' I was referring to were the 'replies' seen above. As for the previous testing, yes, that is one possibility, one more than I had before. I did not mention it was an end all answer to the question, just one possibility, if you have some other possibilities I am sure the group would benefit in hearing them.

Thanks  

the 'answers' I was referring to were the 'replies' seen above

Sorry...from your post, that wasn't very clear. In other lists, I know that folks receive many answers offlist, so I thought that maybe that's what happened here.

... if you have some other possibilities...

Nice try. I'm researching this so that I can use it myself. I'll post what I find...I don't want to post "possibilities" - those seem to lead off-topic very quickly.

H. Carvey
"Windows Forensics and Incident Recovery"
www.windows-ir.com
windowsir.blogspot.com  

- keydet89

While I appreciate Ashay's information, the more I think about it, the less I see it as definitive. It's clear that the base assumption of that methodology is putting trust in the validity of the mail server's system clock, and I see several issues with that.

I would agree with this statement if you are looking at only an MSN clock (or any one clock) as the means of validation. But, if you validate it against several clocks and are seeing the same result, I think you can safely conclude the results will give you the accuracy of the system clock.

Mail servers are a good way to go, but a lot of internet activity will give you a server clock time. Most forums will display a time on every page you visit, all forums will display a time for a post. Banking, online purchases, and a number of other pages will display a server time. Looking at these cached pages and the corresponding index.dat would give you an accurate measurement of the system time. Also pick web servers that you can validate in a live test. If you use an MSN email to try and retrieve system time, send an email through MSN and verify the time headers vs your system time vs real time and record the results to provide evidence to defend your final result.

Repeat this process for a minimum of five separate server times and verify each one and get the same result, and I think you (and a jury) can reasonably conclude that this is an accurate system time.

Jason.