±Forensic Focus Partners

Become an advertising partner

±Your Account


Forgotten password/username?

Site Members:

New Today: 0 Overall: 36595
New Yesterday: 0 Visitors: 149

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Videos

±Latest Jobs

System Clock Help

Forensic software discussion (commercial and open source/freeware). Strictly no advertising.
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts


System Clock Help

Post Posted: Aug 15, 06 18:38

Hiya Guys / Gals,

I would be very grateful for any feedback on the following: Confirming the date and time of a system clock from an Imaged disk.

I have imaged the drive using ImageMasster and am working from a USB connection using FTK.

Is there a way that I can interrogate the 'registry' if that's right using FTK to determine what date and time was set and possibly if this was altered at any point?

I believe the suspect disk's OS was Windows 98 - that’s another thing, can I find out the complete spec of a system somewhere using FTK?

As you can probably guess, I’m a little inexperienced, so please be patient Smile

Regards, Icon_serf  

Senior Member

Re: System Clock Help

Post Posted: Aug 15, 06 19:42

The OS version is available in the Registry...I'm not familiar enough with Win98 to give you the full path, however.

You can get TimeZoneInformation from the Registry; on 2K and above, you can check the EventLog for (a) eventIDs relating to the change of system time, and (b) disparities in the times recorded based on event numbers.  


Re: System Clock Help

Post Posted: Aug 17, 06 16:16

hiya thanks for the reply, however where would I navigate to the system log file, and event viewer in windows 98, having a little trouble here Smile

Does the system log identify what has / hasnt been changed in category - i.e. times / dates / etc?


Page 1 of 1