Hi,
I have a case in which i want to know if the system date & time has been changed?
Is there a way to find out if the system date & time has been changed?
Please read the forum, there have been many feeds on this already
Just as a quickie
Have you looked into the sys event files
Security Event, ID 520 - Indictes that the system clock is changed
You might strike lucky with a virus scan log, they will record which files were scanned and when, do a quick observation and see if times jump.
Don't forget to check for small groups of files with abnormal time stamps where only those files seem to have been created/accessed/modied
Check for timestomp from metasploit and other such time/date stamp altering tools. The clock may have not changed don't forget they could have changed the time/date stamps themselves
Thanks that was good quick help…
Security Event, ID 520 - Indictes that the system clock is changed
… but only if Audit System Events has been enabled. (I'm assuming XP here, by the way)
Furthermore, changing time within Windows requires the SeSystemtimePrivilege – so only the accounts that have that privilege can do it. And if Audit System Events has been enabled, use of that privilege is also logged in the security log.
And if time is changed more than 15 hours out of true time, it isn't automatically reset when the system resynchronizes time. Instead an event 34 for W32Time is logged…. unless, of course, time is changed manually back to be within the +-15 hour window.
On the typical single-user-runs-as-administrator not-a-corporate-PC with-default-logging-configuration, however, you'll have to crosscheck time stamps and log entries with internal or external evidence.
Well, one way to check is to see if a user accessed the Date/Time Control Panel applet by deciphering the UserAssist entries. This isn't definitive that they actually changed the time, but it can be a lead.
Another thing to look for is out-of-sequence Event Log records or, if XP, out-of-sequence System Restore Points.
HTH