Hi All;
my a harddisk examination, my suspicion is changed system time and adding some files in the harddisk.
My suspicion changed time is XX.XX.XX 1543.
I look in the system and I see, a file is created 154343. File is "E\System Volume Information\SPP\SppGroupCache\{6C1F5E5B-FFD9-4901-A286-C08706D8F7D6}_DriverPackageInfo"
What do you think about this state, what is this file, is it a evidence for me?
If system time is changed how am I find it?
Thanks
That looks like a volume shadow copy file. Operating systems like Vista take a sort of backup whenever new items such as drivers are installed so that if the machine crashes it can reset to a "last known good" setup.
Have a look at software like Shadow Explorer to find out more about that shadow copy.
That looks like a volume shadow copy file. Operating systems like Vista take a sort of backup whenever new items such as drivers are installed so that if the machine crashes it can reset to a "last known good" setup.
Have a look at software like Shadow Explorer to find out more about that shadow copy.
Thanks but my suspicious file is in E01 image (
If you have a virtual disk emulator or physical disk emulator you could use those, or export the entire System Volume Information folder out to your examination computer's hard drive and look at it there.
What tools are you using? In EnCase you should be able to open it as a container and view the contents.
FTK Imager version 3 is an excellent and FREE disk image mounter. It will easily mount an E01 as a physical disk with it's logical volumes in order for you to view it like any other disk in Windows.
I'm not totally sure what you are trying to show but the System event logs in Vista should show if there were any large time differences detected between actual time and the system clock, which may indicate a deliberate changing of the clock.
If my notes are correct it should create an error with Event ID 34.
I'm not totally sure what you are trying to show but the System event logs in Vista should show if there were any large time differences detected between actual time and the system clock, which may indicate a deliberate changing of the clock.
If my notes are correct it should create an error with Event ID 34.
System Time changes will be recorded in the Security Event Log, Event ID 4616. You can export the log (security.evtx) and open it within the Vista/Windows 7 event viewer.
thanks all, my problem is fixed and I am right my suspicions. D
I look at Event ID 4616 in security.evtx and system time is changed in my target date. evil
Best Regards
Hi again,
I look at Event ID 4616 in security.evtx and see some system time changing logs.
But later, I look system.evtx ( Event ID 1) and I perceive some system time changing logs are (in system.evtx) not have in security.evtx.
Which one is trusts ? I wait your valuable opinions.