Sorry if this is a stupid question but i'm confused…..
I'm currently analysing the security event log of a workstation here in the UK and have noticed that the time shown on the event log appears to be 1 hour behind GMT (Greenwich Mean Time) although the date and the time on the workstation appears to be correct.
The workstation is connected to our corporate network and therefore I would expect the domain controller to ensure that all authenticated workstations to have the network date and time or am I missing something?
?
What are you viewing the event log in…which application?
Windows systems usually contact a time server for their synchronization…have you seen such entries? Look for W32Time events…
Hi Keydet89,
Thank you for your response; I'm currently using EV Event Log Viewer 0.65 which enables you to select the event codes you wish search for and provides an extract for upload into a Excel Spreadsheet.
I will look for the W32Time to see if they help explain the difference.
Kind regards
Richard
One thing to be aware of is that viewers often show times based on their own settings, not the settings from the system being examined.
Event Logs have 32-bit Unix epoch times for their TimeGenerated and TimeWritten fields. So, the time themselves should be in relation to what the system thought was GMT/UTC time.
Perhaps the issue isn't the actual time of the event, but how the viewer you're using is displaying that time.
Thank you keydet89, that was very helpful and may well explain the difference. I will try and view the logs through another utility and compare the output.
Many thanks
Richard
The book, "Windows Forensic Analysis, 2/e" (I'm the author) addresses the use of open source tools for doing this.
The code for the third edition of that book is available here
http//
The tool you'd want to use is in ch7 of the archive…it's called "evtparse".
HTH.
Hi HTH,
Thank you very much, I have since your last posting downloaded a different viewer and can confirm that the time is now correct and illistrates the problem of using some free tools.
I will take you advice and purchase a copy of the software you had suggested and obtain a copy of your book. I'm very grateful to you for taking the time to respond and for your valuable advise, thank you so much.
Kind regards
Richard
Thank you very much, I have since your last posting downloaded a different viewer and can confirm that the time is now correct and illistrates the problem of using some free tools.
There isn't a problem with using free tools, one simply has to know what the tools are doing. The display of time values is an issue that has presented itself with commercial tools, as well.
I will take you advice and purchase a copy of the software you had suggested and obtain a copy of your book. I'm very grateful to you for taking the time to respond and for your valuable advise, thank you so much.
Well, I didn't recommend that you purchase any software…I offered you access to free and open source software…
Which different viewer did you download, and did you email the author of the software which indicated an incorrect time to see if it's a bug?
Hi HTH,
Thank you very much, I have since your last posting downloaded a different viewer and can confirm that the time is now correct and illistrates the problem of using some free tools.
I will take you advice and purchase a copy of the software you had suggested and obtain a copy of your book. I'm very grateful to you for taking the time to respond and for your valuable advise, thank you so much.
Kind regards
Richard