In windows OS if changed the system time for manipulation how am I understand with encase? (windows time settings logs etc.)
I'm not sure how to with encase but something I came across in Brian Carriers Book under ntfs file system deconstruction(assuming its ntfs) there is a MFT modified date for each file entry.Could be useful if comparing timestamps (there are really 7 timestamps in a MFT Entry 3 in $system_information and 3 in $File_Name attrib +MFT MOD) could be a place to start if no other way is possible.
hope it helps
Ryan
You need to do some log file analysis, as there are specific events which trigger logging when the system clock is changed. They have been posted here and elsewhere previously, so do a search.
In windows OS if changed the system time for manipulation how am I understand with encase? (windows time settings logs etc.)
You can't. You can't differentiate between someone changing time for manipulation, someone changing time by mistake, or Windows OS getting a bad time server and as a consequence getting a bad system time.
As far as I know, there's no way to press a magic pushbutton in EnCase to discover that system time has changed. As you haven't said which Windows you are talking about, I'm free to guess you may find a system log entry (but only in Windows 2k. In WinXP it requires special logging policies), you may find anomalies in logs (when the order of log entries are wrong, or where there are unexplained gaps), and so on. In some environments (with AD, for example), system time can't change too much without causing problems – in which case you will find indication of in the system logs of file servers and such (Kerberos assumes reasonably well synced clocks for authentication).
But it has nothing to do with EnCase – it's something you'll have to find more or less by hand. It is probably possible to write on or more EnScripts that check logs (or file system time stamps) for inconsistencies, and flag them, but I can't think of any existing scripts.
There is another simple method to detect System Time Manipulation.
It is based on examining Registry User Assist keys. if a Control Panel Date&Time Application (timedate.cpl) was run there will be information about it.
I have found helpful EnCase EnScripts by Lance Mueller here http//
Or you can read more on how to do it manually on my blog http//
Hope this help…