Hi everyone,
I am currently investigating a case where a suspect has allegedly removed evidence from his computer.
According to the initial information, he re installed Windows in Jan 2013 but Encase shows that the system installation dates back from an unsuspected period 17/02/2012
When I look at the XP Win events, I notice a gap between 17 Feb 2012 and 09 Jan 2013, with no log entry whatsoever during this period of time.
The creation date for the two volumes on the disk is 17/02/2012 for the first one and 09/01/2013 for the second one.
It seems that the user did not log into the computer between these two dates, but we know that he was using it though… However, during this period of time, the account Administrator was active… but I don't find any Win event for the corresponding user…
Similarly, when I look in the advanced registry tab in Encase 7, I find the gap in the activity… I am a bit puzzled about how to interpret this…
Does anyone come across the same type of case? Thanks for your help…
but we know that he was using it though…
Q1 How do you know this?
Q2 & 3 This machine? For sure?
Once you satisfy these questions then I would go on to suggest any number of ways this comes to pass. I'll give you a couple for free
a) You are missing something (the most common scenario those cases where I came across things I didn't understand wink )
b) Knoppix (or similar)
Change of system time?
Well, unless you can find any artifacts of actual use or indication of eventlog scrubbing software, there is no reason to jump to such conclusions.
There are other ways to determine what was going on than to just blindly stare at the Eventlog, things you may want to check
- File-timestamps
- Other logfiles
- Deleted file information
- Internet activity
- Registry last access
- Other computers/devices that it may have been connected to may have info on it.
- Has the eventlog file been manipulated/replaced? Can you find different eventlog files with other info on the system drive? Such files can be copied/overwritten - easily.