BIOS date and OS da...
 
Notifications
Clear all

BIOS date and OS date

jfranck
(@jfranck)
New Member

When making a forensic image I also check the BIOS date. I am trying to determine if the BIOS time is a good method to determine if a system being analyzed has the current date.

If I change the time in a Windows system the BIOS date is also modified. I would like to read some explanation about how is this feature implemented and what kind of BIOS implements this feature.

The same for a Linux system.

Quote
Topic starter Posted : 21/06/2017 10:37 pm
Passmark
(@passmark)
Active Member

There are multiple clocks and timers in modern PCs.

The two main ones are,

1) The RTC (Real time clock) which is implemented in hardware and is battery backed up. It keeps time even when there is no power. When a PC is turned on the current time is read from this chip. In the very first PCs it was part of the CMOS RAM chip. But in newer PCs all the functionality of often in the 'South bridge' chip, along with many other functions.
https://en.wikipedia.org/wiki/Southbridge_(computing)

From BIOS this chip can be programmed using Interrupt 1A
https://en.wikipedia.org/wiki/BIOS_interrupt_call#Interrupt_table
(this has changed in UEFI BIOSs however).

2) The system clock. This is maintained by the operating system and is driven from an interrupt timer chip (a PIT).
http//www.osdever.net/bkerndev/Docs/pit.htm
This is set from the RTC when the machine boots.

When you update the date and time in BIOS or in the Operating system the change is propagated back into the RTC. So there should never be any significant difference between BIOS time and the O/S time.

However (at least in the past) the RTC didn't track daylight saving Time nor timezones by itself. So I'm not sure how the various O/S deal with this aspect.

ReplyQuote
Posted : 22/06/2017 12:53 pm
JimC
 JimC
(@jimc)
Member

There are a handful of tools around that can backup/restore the CMOS RAM. The older tools only support the original 64-byte cases but modern systems typically have 128/256 or perhaps even more. A backup of the CMOS RAM could be a useful (if rather extreme) addition to a standard imaging procedure.

Many moons ago I was commissioned to write a DOS CMOS tool for a system builder. It was a constant effort to keep up support for new motherboards/chipsets. The legacy CMOS (64-bytes) was standardised using ports 70h/71h but each chipset vendor had their own way of doing extended CMOS. I would therefore beware of any tool that claims to support "everything" - it probably doesn't. From memory, there were at least 4 different ways of doing it.

I did write a subsequent tool for a LE customer to do CMOS in a Windows environment. This hasn't been updated for a long time (~2007) but I would be happy to dig it out if potentially useful to anyone.

Jim

www.binarymarkup.com

ReplyQuote
Posted : 22/06/2017 4:18 pm
jfranck
(@jfranck)
New Member

There are multiple clocks and timers in modern PCs.

The two main ones are,

1) The RTC (Real time clock) ……….

2) The system clock…….

When you update the date and time in BIOS or in the Operating system the change is propagated back into the RTC. So there should never be any significant difference between BIOS time and the O/S time.

However (at least in the past) the RTC didn't track daylight saving Time nor timezones by itself. So I'm not sure how the various O/S deal with this aspect.

Ok with items 1 and 2.

"When you update the date and time in BIOS or in the Operating system the change is propagated back into the RTC". This is what I have determined in several computers.

I have not found any article explaining that when updating the date and time in the Operating system the change is propagated back into the RTC.
It should be implemented via interruptions, but I would like to read any article that states that Windows and Linux always updates the BIOS date or at least depending on any configuration.

ReplyQuote
Topic starter Posted : 22/06/2017 11:01 pm
Passmark
(@passmark)
Active Member

If the time was not updated, then the time would always be wrong after the machines was powered down, at least until a time sync was the internet was done. But it isn't wrong (unless the battery is dead) after power down, therefore the clock must be updated.

ReplyQuote
Posted : 23/06/2017 10:02 am
jfranck
(@jfranck)
New Member

I found an explanation for Linux (Debian) about when system time is saved to hardware clock.

Modern Debian releases (2.2 and onwards) automatically saves the system time to hardware clock on proper shutdowns, and sets the system clock from hardware clock when it boots up. This is done by the script /etc/init.d/hwclock.sh
https://wiki.debian.org/DateTime

I am still looking for a Windows official document explaining this for Windows.

ReplyQuote
Topic starter Posted : 26/06/2017 10:20 pm
jfranck
(@jfranck)
New Member

I found a little explanation for Windows

"During shutdown, the w32time service writes the current time back to the hardware clock, so as to preserve as much of the accuracy as possible that was garnered while w32time was running."
https://blogs.msdn.microsoft.com/w32time/2007/10/31/a-tale-of-two-clocks/

ReplyQuote
Topic starter Posted : 26/06/2017 10:38 pm
jaclaz
(@jaclaz)
Community Legend

I found a little explanation for Windows

"During shutdown, the w32time service writes the current time back to the hardware clock, so as to preserve as much of the accuracy as possible that was garnered while w32time was running."
https://blogs.msdn.microsoft.com/w32time/2007/10/31/a-tale-of-two-clocks/

And now, just to make the matter more confusing 😯 let's talk of WHAT time is used on the RTC (JFYI)
https://blogs.msdn.microsoft.com/oldnewthing/20040902-00/?p=37983

Possibly with different issues on different BIOSes
https://communities.intel.com/thread/114444

And of course
https://support.microsoft.com/en-us/help/899855/the-bios-real-time-clock-is-set-back-one-hour-after-you-deploy-a-windows-xp,-a-windows-vista,-or-a-windows-7-image-to-a-computer

Starting with Windows 7, the good MS guys gave us the possibility to make things right manually
http//crashmag.net/configuring-windows-7-support-for-utc-bios-time

It took them only some seven/eight years to be convinced of this
http//www.cl.cam.ac.uk/~mgk25/mswish/ut-rtc.html

jaclaz

ReplyQuote
Posted : 26/06/2017 11:21 pm
JimC
 JimC
(@jimc)
Member

A previous post suggested the time is only written back to the CMOS RAM on shutdown.

I was a bit dubious about this because it would mean the updated time could be lost if the system crashed or was not shutdown properly. To verify, I setup a quick test Windows (2003) system with live CMOS display. This found that date/time changes are *immediately* written to the CMOS RAM.

I would anticipate Linux behaves the same but a quick test (on Ubuntu 17.04) found this is not the case and the hardware clock (via "hwclock") does not change when the system time is updated.

Jim

www.binarymarkup.com

ReplyQuote
Posted : 04/07/2017 4:20 pm
jaclaz
(@jaclaz)
Community Legend

A previous post suggested the time is only written back to the CMOS RAM on shutdown.

I believe that the mentioned blog post is only poorly worded.

Probably ? the meaning was more *like*
Once the machine has been up and running, the w32time service starts and attempts to discipline the clock (to make it more accurate) by periodically synchronizing with a NTP server and updating the hardware clock.
In any case, at shutdown, the w32time service writes the current time back to the hardware clock one last time, so as to preserve as much of the accuracy as possible that was garnered while w32time was running.

jaclaz

ReplyQuote
Posted : 04/07/2017 8:14 pm
Share:
Share to...