Hi
Please consider this scenario. (BTW it's hypothetical)
I have an EWS image of a W7 PC, the BIOS date was not checked before the image was taken and the PC is no longer available to the investigator. During my investigation, I think the BIOS date of the PC was advanced by 5 days as the timestamps on the files are 5 days later than the documented image date. Assuming the documented image date is correct then the PC owner must have purposely moved the date forward in an attempt to refute any incriminating evidence.
What methods are available to me to prove/detect that the date of the BIOS has been changed?
Regards
John
Examine the USN journal file.
The file is sequential so records are recorded appended to the end. If you see large gaps or dates which are further down the file but have an earlier date then that proves the date has been messed with.
I am not sure to understand.
Why one would want to set a date in the future? ?
Let's say today is the 1st of September 2016.
I switch on the machine and change the date to 6 September 2016 [*].
I do whatever I am supposed to do on the machine (move files, delete them, create new ones).
I switch off the machine.
Then (still today) comes the police, seizes the machine and images it on the field (but forgets to take note of the BIOS date).
Last entries will be dated 1st September, there will be no records for days 2,3,4,5 September (assuming that normally the PC is used daily) and suddenly a number of records for 6th september will appear…
Another approach.
On the 1st of August (morning) I work on the PC then midday I change the date to 2nd of August.
On the 2nd (3rd on the BIOS date) I work on the PC then midday I change the date to 3rd.
I do this another few times, then keep the date "forward" five days for almost a month.
What would this cause?
As I see it if you do a full timeline of the system you will find more artifacts, there are several logs that may provide this kind of info, see also
https://
and
http//
(you won't likely find any event 577, but besides the Windows System logs, on a common system there are often logs, ini files and similar for third party installed apps)
http//www.forensicfocus.com/Forums/viewtopic/t=10059/
The opposite (antedating vs. postdating) which would be - I believe - more common
http//
jaclaz
[*]I also need *somehow* to disable NTP/W32time or the machine needs to be air gapped.
The CMOS battery could have been broken, on some older hardware this can make the clock start to drift over time - i've seen this personally. The examiner should have checked what the time was.
Apart from the NTFS journaling (Assuming it's an NTFS Filesystem) and other logs that should have timestamps in a sequential order, you can get an ISP access log and correlate that with the eventlog. Any discrepancy will stand out.
Hi MDCR, that is a good suggestion contact the ISP.
But could it be traced back to the MAC address of the PC?
How good are ISP logs ?
John
Hi MDCR, that is a good suggestion contact the ISP.
But could it be traced back to the MAC address of the PC?
How good are ISP logs ?
John
From what i have seen and heard of examples and discussions, they are regular IP Logs with timestamps and IP access logs and a customer ID, they will probably also vary in detail between ISPs. Not sure that MAC is used at all, just time and IP (MAC can easily be spoofed anyway).
(Maby someone else can confirm this).
I'm non-LEO and have done all forensics inhouse at my agency so i've never had to go there.
I'd look at internet history and hope they went to Google.
The EI values in the URL are set by the server and therefore there would be a discrepancy.
What methods are available to me to prove/detect that the date of the BIOS has been changed?
How strict is that requirement?
A number of suggestions have been made, but none, as far as I can see, prove that precise action.
Curiosity more than anything else.
I have a few ideas to think about.
John