Hi,
I need your ideas about this
I have a case, where I have surfing activity in the Internet temporary files which date from February. However when I look in the registry, I can see that the computer has been installed in August the same year.
My guess is that the user changed the date on the computer to hide his activities somehow or to pretend that these activities are not from him.
When looking at the content of files which are dated in February, on some I can see dates of the website for example which show August. That's my only proof for the moment that the activity was not in February but in August.
Is there anywhere else where I can find evidence that this person changed the date on the computer. Is this action logged somewhere on the system?
Thanks,
You don't mention the OS version so it is a little difficult to be specific however assuming a Microsoft OS…
If you have an event log that is large enough then you should be able to see it in there. Not only are date/time changes logged but each event log entry is given it's own sequence number independent of the date so if you sort the events my the sequence number you can see when the date/time changed.
SETUPAPI.LOG is also a big help as it is cumulative so newer entries may have date/timestamps earlier than the ones at the front of the log.
Various components and applications create .log files so look for similar behavior in other files.
Hopefully that will get you started.
HI
Yes sorry it is a Microsoft OS.
I will see what I can find in other log files.
But there is for sure no entry in the registry which could point me to some information right? At least I read in a post that the registry doesn't have any field which tracks the date and time.
Thanks for your precious help Spawn.
I always find that a good indication of time changing is by examining the creation dates of the restore point folders in the System Volume Information directory (RP0, RP1 etc).
Each folder should be named incrementally, so sorting them in order of their creation dates, and looking for inconsistances in them may help. ie when in date order RP folders aren't in incremental order.
So, I searched the disk couldn't find any log file which could help me. (I have only a part of the disk) What I did I opened the websites visited and tried to find if any website has a timestamp. And lucky me, I found at least for each modified date a website which says the contrary.
Do you think that this is proof enough that the date and time had been changed?
Thanks
I am not much experienced in doing what I am going to advise… but I think you could search for timedate.cpl executions under UserAssist keys in the registry. That could be of some help if the Time/Date had been changed under Windows and not under the BIOS.
Hope it helps.
So far, the advice being given, cumulatively, is excellent advice…
To determine indications of date changes, start in the UserAssist keys, looking for execution of the Date and Time Control Panel applet.
The remaining advice about checking Restore Points (if XP) or setupapi.log or the Event Log is good advice.
However, there is something else to consider. Check the UserAssist keys for the earliest date of activity, and correlate that to data from the SAM Registry hive for that user (can use RegRipper to do both), as well as the creation date for the user's NTUSER.DAT file.
I mention this as it could be entirely possible that the system was originally set up in August, but not used by that user until Feb. I guess my point is that based on what was originally provided, there's really no indication other than suspicion that the time was altered on the system. Sometimes it helps to have data that indicates this first, rather than jumping to that conclusion…
Have you considered comparing your Internet cache to those archived by the 'Wayback Machine'? http//
You may be able to find a few more points in time that support your case.
Google uses a range of different Google doodles for special holidays that may be of use. http//
Proving dates and times can be really hard work, best of luck!