My employees timesheet software (which started automatically on system boot up) shows she started at 10.45am. She denies this and points to an email she sent me timestamped 8.59am. I think she changed the time on the clock when she logged in and sent an email to try and show she has started at the proper time.
Is there anyway I can tell whether the clock was adjusted?
She is being fired anyway…but proof of this would allow me to get rid of her immediately and not after 4 weeks notice.
Email has time stamps added by the mail server that should be correct regardless of whether the sender or receiver had an incorrect date/time on their local computer. How you display those time stamps depends on your particular email software.
Additionally, it is possible under certain circumstances to prove that the clock on a particular computer had been tampered with.
Check for event 520 in the security event logs. If you have any auditing on, that will log time changes
Thanks for the replies…I have run a test on the computer and for some reason the email does display the altered time within the body of the email. The delivery time is correct, irrelevant of the time on the local computer. I just need to try and get some proof ..
I think what Patrick4n6 meant was to have a look at the header of the email - not body. This means you will have to look at the source of the email. Under the section Received you will see the timestamp of your email server, normally you trust your email server in that regard. This however only states when your server received it not when the other sent it (if it comes from a slow one). This however can be irrelevant if both your email accounts are on the same server (internal company one).
Now that's probably the rub…I was looking in the header and yes it is the same server…
Is there anyway I can tell whether the clock was adjusted?
All of the other suggestions aside, there are some easy ways to see if this is the case, particularly on Windows systems
- Go into the UserAssist keys in the user's NTUSER.DAT and see if there's access to timedate.cpl…this is the Control Panel applet for the Date and Time settings, accessible through the Task Bar.
- Use something (like evtparse.pl) to parse event records from the Event Log, and sort them based on event record number. The numbers should be sequential, as should the time stamps (generated time). If enough time has elapsed and this is an XP system, you can also do with with Restore Points.
- As suggested, look for the event ID 520 in the Event Log.
HTH
Yikes…. a girl turned up to work 1hr 45 mins late and she's got the weight of the computer forensics community bearing down on her. I mean, there are times computer forensics is so important in solving the time discrepency of a suspects movements but wow… being late for work? Just sayin…
Hi Jykell
Thanks for your post….this is only one of a number of issues I am dealing with in relation to this particular employee. Sole charge in the office on a day when we are on deadline for a major project….I don't mind people being late but when they lie to cover up and bill me for 40 hours when they have worked about 20 I need to do something about it or I will be bankrupt pretty soon….
Yikes…. a girl turned up to work 1hr 45 mins late and she's got the weight of the computer forensics community bearing down on her. I mean, there are times computer forensics is so important in solving the time discrepency of a suspects movements but wow… being late for work? Just sayin…
Even before reading the OP's reply I would not have a problem using whatever tools I had to get to the truth. Being late is not the issue, lying about it is (certainly would be for me). If an employee lies about something as seemingly insignificant as being late for work, what would this employee not lie about? Honesty, integrity, professionalism and accountability are but some of the virtues that every good employee -has- to have.. if you make a mistake, accept responsibility and move on, but to change the time/date on your system to "prove" deceit? ..thats is more than just a simple lie.