We use Encase for our forensic analysis.
I have a system that I am analyzing that appears to have had the system time pushed back 1 year. The system date in the Bios was set to 2007 however we have found files on the drive that Encase report dates from 2008 in the Last "Accessed" and "Created" fields.
Is there any normal explanation for this, and if not, how can I prove that the time was in fact pushed back, and not always a year behind.
Also, can I determine when the date was pushed back?
Wow…three posts to different boards…
Well, assuming that the BIOS was moved back, you might check w/ the manufacturer for any sort of logs or indications. It doesn't sound like what you're looking for is even available to the OS.
One of the best ways I've found to determine when the system time was changed is to look for any log files which have been created on the system - such as from AV software, IM applications, Windows Event Logs or any other programs which create a logfile which is not dependent on using the system clock for a reference and instead actually records the date and time inside the file itself. Then analyze any date/time stamps found and these should give you a good reference as to when the clock was changed, if the change was as radical as one year (as opposed to say, 2 hours).
It's not guaranteed, but it's worth a shot. Hope it helps.
Jeff
Hotmail and Ebay pages sometimes contain embedded server dates and times. Also weather radar images will have dates and times on the image. Since all these times are independant of the system clock you can compare any of these to to file's created time to get an idea of what the actual time was compared to the system time.
If it is an NTFS file system, when you look at the four date / time stamps, you should see some anomalies. For instance, I would focus on the creation, modified and viewed dates in that order to see if I could find files showing the gap on those internal stamps. A dead giveaway would be a file with a last viewed or modified date one year before the creation date for instance.
Anyway, hopefully that will give you something to work with.
Google changes its main logo regularly. They like celebrating dates as diverse as Earth Day to St Patricks Day, hence it has become quite a handy reference point when trying to determine date and time drifts using an Internet browsers cache. http//
The absence of such handy artifacts means that you are presented with an age old problem as it is impossible to say if BIOS date and times have ever been faithfully maintained.
I am not aware that any BIOS system stores a 'log' of such maintenance, such a 'log' would be very handy but then again what reference would this 'log' have?!
I would agree with an earlier post that one place to try would be the event logs. Windows XP has an integrated NTP client which will attempt to synchronize the Windows time to either a Domain Controller (if in a domain) or an Internet-based NTP server if standalone.
Time skew issues are recorded in the event logs (if yours go back far enough and if the skew is large enough).
You might also look at Windows Restore Points (if they go back far enough), or restore point data in unallocated space. They should be numbered, sequentially and the dates should be more recent as the Restore Point number increases. If you have a higher numbered restore point with an older date, this would suggest a time that the clock had been reset.
Since you stated that you use EnCase, do you have a copy of the EnCE "red book (V5)" or the "white book (V6)" laying around? If so, check out the Registry section in the "Advanced EnCase" chapter.
Pg. 506, 507 in the white book. It explains how to check if the user opened the Time and Date Control Panel by examining the userassist key for timedate.cpl
I would check the Guidance Boards as well. There is a lot on there about date and time stamps and there was a known problem on the interpretation of date and time stamps by, I think, one of the version 5's