I have a Win XP machine in corporate environment with a large gap in multiple event logs (System, Application, etc)
In the System Log, there is a gap from 6/28/2013 until this morn 7/2/2013 @ 630 AM when user rebooted system due to "a bunch of errors on screen". That is as specific as I could pry out of end-user.
Application log is similar with the exception that it DOES have entries on 7/1.
User has been doing complete shutdown for the last couple of weeks because of a seemingly unrelated issue where machine was BSOD-ing every few weeks, but did not last night. BSOD issue was related to a faulty driver and seeming unrelated.
I am curious as to …
a)innocent explanations for gap. The laptop has not left desk and chances of end user stopping or turning off event log service are near zero.
b)detection of tampering.
System restore is not on.
This probably is not applicable, but the only time I've seen large gaps in the event logs was when a client protection system, like Deep Freeze, was in use.
All changes to the file system are cached, and then when the system is restarted, wiped. In effect, you have a new system every time you start up.
If I had the investigation, I'd create a timeline of system activity and focus on what was occurring just prior to and at the beginning of the BSODs…
From looking at the mini dump files, the BSODs were related to the HP 3D Driveguard software. Specifically, C\Windows\System32\drivers\accelerometer.sys. I removed and reinstalled that software.