I have a laptop running windows 8.1 that has user logons and files that have created / modified dates that are 8 months after the computer was in our custody.
I checked the event log files and there were a quite a few instances where the following appeared
event 1 system time synchronized with hardware clock
One event bumped the date forward a little over a month then there were a few that were 5 days or so. But added all up they don't equal the 8 months. I am working off of the E01 image. The actual computer is a couple hours away.
Is there anywhere else I can look or is there someplace within a HDD that will tell what the date / time is set at (not just timezone info)?
I'm almost to the point where I'm going to take the hard drive out of the laptop and boot it up into the BIOS and see what time it shows. But if there's a way to save a 4 hour round trip, I'm open to suggestions.
Looking at the clock in the BIOS is good information for any investigation. Whether the BIOS says today or 8 months in the future you might still need more information to make sense of the timestamps in question.
What do other system artifacts show for timeline or sequence? Registry, shortcut targets, internet history entries, MFT, and UsnJrnl? Are there Volume Shadow Copies?
One place to look in the Registry is to look for NTP settings under HKLM\SYSTEM\CurrentControlSet\Services\W32Time
Consider this information with other artifacts above.