Verifying date/time settings when BIOS is unaccessible
What alternative methods have you used to prove/disprove the date and time settings of the suspect machine are accurate. I need to evidence some internet history between some dates, so it relies heavily on the date and time settings.
I have tried using initialse case processor in Encase but for some reason it won't run, the progress bar (bottom right) fills quickly and nothing happens.
Any advice would be greatly appreciated.
I have a not so technical suggestion
I have heard that someone has previously used a custom Google logo, such as one to commemorate a famous person's birthday or a national holiday. By finding out from Google when this logo was originally uploaded they could prove that it could not have appeared on the machine before then. A tenuous link I know and of course is unlikely to give you an accurate result time wise.
Otherwise if there are any news items in the cache, say from the MSN homepage or BBC or whatever you may be able to check the date from them.
What do you mean that the BIOS is unaccessible? Is it password protected, don't know the access sequence, or is it faulty.
At any rate, whenever I can't access the BIOS of a system, I boot it with a linux CD to check the system clock.
Are you saying you only have the HDD image as evidence?
You may have the time and date the computer was seized, the time and date of the last accessed files, whether the computer was set to synch with an Internet Clock or Domain Clock (and then make sure it is connected to the Internet or Domain as necessary), last shutdown time (sometimes), last log on time, registry entries for time zones etc. You cannot prove it is accurate but you may be able to say there is no known reason to doubt the accuracy.
Look through the web pages in the cache there are invariably pages in there that contain embedded dates which can be compared to the created time of the web page in the cache.
There are sometimes web pages whose name or path includes a unix time stamp, the old example of this was hotmail web pages.
It might be possible to look at email headers for incoming emails. I had one case where I had to prove the accuracy of the clock and found a visit to a web page in a cache which was to register for some site, followed by the receipt of the email confirming the registration with a link to click in the email. There was enough information between the internet history and the email headers to get a reasonable measure of how accurate the clock was.
My suggestion won't be of much help if you are looking into very old dates,but just to check if "current" date and time are rigth,it would be useful to know when the computer was last used,and check it with NTUser MAC times.
This might help….whilst checking the RTC of the machine should be done in every case, remember that really that time is only valid for the time you checked it….you can often be unable to state the accuracy of the RTC at any given point in the past. A little trick I use often to verify the time/date at a certain point in time is to look for any files around the time I need that might contain an external time stamp - most, obviously, from an Internet server…Google cookies are excellent for this as they contain a UNIX time stamp [from a Google server] which can be decoded and compared with the file created time/date [from the local machine]. You can often find a UNIX time stamp in cookies and sometimes embedded in web pages.