System Clock Help  

Hiya Guys / Gals,

I would be very grateful for any feedback on the following Confirming the date and time of a system clock from an Imaged disk.

I have imaged the drive using ImageMasster and am working from a USB connection using FTK.

Is there a way that I can interrogate the 'registry' if that's right using FTK to determine what date and time was set and possibly if this was altered at any point?

I believe the suspect disk's OS was Windows 98 - that’s another thing, can I find out the complete spec of a system somewhere using FTK?

As you can probably guess, I’m a little inexperienced, so please be patient )

Regards, Icon_serf

Posted : 15/08/2006 7:38 pm
The OS version is available in the Registry…I'm not familiar enough with Win98 to give you the full path, however.

You can get TimeZoneInformation from the Registry; on 2K and above, you can check the EventLog for (a) eventIDs relating to the change of system time, and (b) disparities in the times recorded based on event numbers.

Posted : 15/08/2006 8:42 pm
hiya thanks for the reply, however where would I navigate to the system log file, and event viewer in windows 98, having a little trouble here )

Does the system log identify what has / hasnt been changed in category - i.e. times / dates / etc?


Posted : 17/08/2006 5:16 pm