Registry and MFT off by 1 hour?

Setupapi.dev.log from the system…

Vista? Windows 7? Windows 2008 R2?

…shows the connection date and time on December 10, 2012 at 201PM.

MFT shows the files begin being created on the USB device at 20125PM (I have an image of the USB device)

However, the analysis of the registry (USBStor and MountedDevices) shows the USB connection at 301PM……

You used the word "shows" three times, but I'm curious, what tools are you using to see these times?

My assumption at this point is that the system BIOS reflects a date and time that is one hour off, and the registry is deriving its date/time from there. I currently don't have access to the physical systems to confirm but hopefully will be getting that this week.

Thoughts?

Can you share what you're doing or using to view these times?

Also, what are the time zone settings for the system? Do the Windows Event Logs provide any indication of time updates via an NTP server?

1. Windows 7

2. Setupapi.dev.log with simple text viewer
MFT dates and times with Encase
Registry with RegRipper and USBDeview

3. Security Event log shows system date and time synced with the network at logon.

Thanks!

Can you share the time zone settings for the system?

DaylightName -> @tzres.dll,-161
StandardName -> @tzres.dll,-162
Bias -> 360 (6 hours)
ActiveTimeBias -> 360 (6 hours)

I'm new on this forum and wished to pose a question. Here is an interesting question, one which likely has an easy answer that Im just missing.

I have a USB device connection and subsequent copying of files.

Setupapi.dev.log from the system shows the connection date and time on December 10, 2012 at 201PM.

MFT shows the files begin being created on the USB device at 20125PM (I have an image of the USB device)

However, the analysis of the registry (USBStor and MountedDevices) shows the USB connection at 301PM……

My assumption at this point is that the system BIOS reflects a date and time that is one hour off, and the registry is deriving its date/time from there. I currently don't have access to the physical systems to confirm but hopefully will be getting that this week.

Thoughts?

Looking back over your original post, one of the things that stands out to me is that there seems to be an assumption that the USBStor subkey for the device in question provides an indication of when it was plugged in, and this is not the case.

Also, the MountedDevices key does not show when a specific device was plugged in.

As such, it seems that two incorrect assumptions were made during this analysis…first, that the USBStor subkey and the MountedDevices keys provide information regarding when a device was connected to the system, and that there was some sort of issue with the BIOS time. Other activity could contribute to the key LastWrite time you're seeing beneath the USBStor key, and again, the MountedDevices key does not tell you anything about when a specific device was plugged in.

Not to worry, though…USB device identification is one of perhaps the least understood aspects of Windows analysis, but something more and more folks seen to need to do…

I hope that helps clear things up a bit.

Thanks for the help Harvey!

I do understand the difficulties with the USBStor key, however, following some of your earlier advice and through reading some of your books, I have built a "mini-timeline" if you will, of activity on the system.

The DevClasses key also reflects a date and time consistent with the USBStor key (The USBStor dates and times are not all the same, as I've seen in previous situations)….

I addition, while I understand the USBStor key in and of itself may not represent the true first connection during the last boot session, the Setupapi.dev.log reflects the same date and time, off by exactly one hour….

This tends to solidify my thoughts of what I've found in the Registry…..relative to the connection of that device on that date and time…..

There are other network events and local system events (logons, file accesses and deletions, logouts, etc…) that support this timeline……

Does this make sense or sound like solid logic to you?

Thanks for the help!

Any time I see a one hour difference I think DST, In your case the dates are December which will normally rule this out.

However, certain Windows API calls are affected by the DST settings on the examiners computer and your system will porbbaly have DST in operation at the moment. Your example shows some dates and times that will be interpreted by the forensic software and therefore potentially these API calls (i.e. MFT and Regsitry) and some dates and times that wont be manipulated by the API (i.e. the text entries in setupapi.log).

To rule this out you could disable DST on your machine and examine the dates again and see what happens.

Does this make sense or sound like solid logic to you?

Not at all…in part because honestly, I don't follow what you're saying. For example

This tends to solidify my thoughts of what I've found in the Registry…..relative to the connection of that device on that date and time..

What are those thoughts?

From what you've shared so far, there's nothing at all unusual about the LastWrite time for the USBStor subkey being off by an hour.

Further, you mention file accesses…by default, updating of file last access times, via normal user activity, is disabled in Vista and Windows 7. As such, I'm not entirely clear as to the conclusions you're drawing with respect to file access times.

Also, I'm not sure what this is supposed to mean…

I addition, while I understand the USBStor key in and of itself may not represent the true first connection during the last boot session, the Setupapi.dev.log reflects the same date and time, off by exactly one hour….

Finally, my name isn't "Harvey". 😉

Maybe I am not seeing it, but did you boot the computer to see if the time was, in fact, correct?