Home About Us Forensic 4:cast Awards Contact Us FAQs

Home » Technical Articles » Detecting CMOS Clock Changes

Search
Detecting CMOS Clock Changes
Posted on January 15, 2011 by Lee Whitfield in Technical Articles.
Search
During my short career in digital forensics I have seen and heard a number of defences. One that I
have seen emerge a number of times is the claim that one of the parties has been ‘framed’ or ‘set-
up’ by someone by changing the system clock and doing some nefarious deed before setting the clock
back to the correct time.
Items by Category

If, for example, someone did this on my computer and browsed to some inappropriate website, all 4:mag
the internet history records and cached files would reflect the changed time. To the casual observer, Experiences
a judge, or a jury it may look like I was responsible. Even a seasoned forensic investigator may be
fooled into believing that it was I that did the deed. Without digging deeper each of us could be Methodologies & Best Practices

fooled by such trickery. News

Dependent on your position how would you support/dismiss such a claim? I’ve given this a bit of Podcast Episodes

thought recently and come up with a few ideas. Reviews

Event Logs Technical Articles

Uncategorized
These are the superb resources for many reasons but we’re going to focus specifically on the time
stamps for the entries.
Items by Month
Event logs in Windows XP has a default size of 512KB. In both Vista and Windows 7 the default size on
event logs is 20MB. In either circumstance the logs act the same way – they fill up in order of events. May 2017
Once the log is full it goes back to the beginning implementing a first-in-first-out overwriting process
March 2017
of old records.
October 2016
So, what would you expect to see if the system clock had been changed?
June 2016

Depending on the software and services running on the computer the event logs could generate May 2016
hundreds of entries every day. This means that we should be able to easily identify any discrepancies
April 2016
in the logs. As the logs are written in order of occurrence we should be able to tell if the system
clock has been changed by parsing the event logs themselves and ordering them by file offset. If the March 2016
dates suddenly jump backwards and then forwards again it is a good indication that the system clock January 2016
has been changed. Conversely if you see no such activity it is a good indication that the system clock
has not been changed. November 2015

July 2015
If someone changed the system clock from inside Windows (in Vista and Windows 7) then the clock
change is also recorded in the event log as event ID 1. Such entries will appear as follows: May 2015

April 2015
The system time has changed to 01/01/2011 08:51:43 from 15/01/2011 08:51:43.
January 2015

Link Files September 2014

June 2014
If files were accessed or created during a suspected changing of the system clock then evidence may
also be found in the link files on the computer. May 2014

April 2014
Harry Parsonage has done a lot of work on link files. As part of his research he has found that link
files contain a sequence value. This value is incremented when the operating system is January 2014
started/restarted. This means that all link files from a single session will retain the same sequence
December 2013
value, when the computer is rebooted the sequence value increases.
November 2013
If the computer clock has not been changed then parsing the link files and ordering them by their
September 2013
sequence value should also mean that the links are in date order. If, in ordering the link files by
sequence value, we see that the dates do not align it is fair to say that the system clock has been June 2013
changed.
May 2013

More information on Harry’s research can be found here: April 2013

http://computerforensics.parsonage.co.uk/downloads/TheMeaningofLIFE.pdf
March 2013
EDIT: After speaking to Harry I need to make a small correction. It appears as if the sequence value January 2013
is only consecutive in XP. Apparently they were changed in Vista and Windows 7.
October 2012

Restore Points June 2012

May 2012
Since Windows XP restore points have been used by Microsoft. They have changed somewhat since
being introduced but they essentially serve the same purpose. In each version of Windows the restore April 2012
points are stored in the folder “System Volume Information”.
March 2012

In XP the restore points are named incrementally. Each restore point will be contained in a folder January 2012
with a naming convention of “RP##” where “##” is the incremental restore point number. If a restore
December 2011
point was created during a clock change there will be anomalies. What an analyst would see is
ordered restore points but, when looking at the “RP” folders in order of creation datesthe November 2011
incremental numbers would not match up. If this is the case then it is likely that the system clock
October 2011
has been changed.
September 2011
The same thing goes for Vista and Windows 7. Although the restore points (shadow volumes or
July 2011
difference files) are different the same principles would apply. If a restore point was created during
a clock change the order of the shadow volumes would be changed. The file named {3808876b-c176- June 2011
4e48-b7ae-04046e6cc752} is an index of shadow volumes and is kept in order of creation, meaning
May 2011
that the most recent shadow volume will be last in the file. Each of these is recorded with the
creation time of the difference file so an analyst could simply look at the creation times of the April 2011
difference files and, if any are out of order it is evidence that the system clock has been changed.
March 2011

HTML February 2011

January 2011
A number of web pages include date and time stamps. The most obvious of these are forums, but
time stamps are also found in web-based email, blog entries, Facebook, Twitter, and so on. Each of December 2010
these would provide a clear indication of clock adjustment when looking at the creation and November 2010
download dates of the data.
October 2010
Others September 2010

Each of these provide a very systematic method for detecting clock manipulation but there are other August 2010
ways for detecting such things. For example, a prefetch file may contain information about accessing July 2010
specific files that may not have existed on the computer at the changed time, or an email message
header will contain information about the date and time sent, HTTP response headers also have time June 2010

information taken from the web server, etc. May 2010

April 2010
Summing Up
March 2010
If someone claims that the system clock has been changed we can provide substantial evidence
February 2010
supporting or refuting such claims. It may well be the case that a computer clock has been changed
but it is then up to us to provide evidence to support our claims and not just suggest that it may January 2010
have happened.
December 2009

Do you have any other methods for detecting clock changes? Please feel free to add them in the November 2009
comments.
October 2009

September 2009
← Previous Post Next Post →
August 2009

July 2009
If you enjoyed this article please consider sharing it!
June 2009

7 Responsesso far. May 2009

March 2009

February 2009

Francesco says: January 2009

November 2008
January 15, 2011 at 4:18 pm

Thank you, this is a great article! October 2008

September 2008
Reply
August 2008

July 2008
Rob Lee says:
June 2008

January 15, 2011 at 6:43 pm May 2008

 Id also add that the UserAssist will also pick up if the clock is changed using the GUI via
January 2008
the control panel applet. Good article Lee. Well worth the read and appreciate the
research.

Reply

Lee Whitfield says:

January 16, 2011 at 6:55 pm

Thanks Rob.

Reply

Joe Garcia says:

January 18, 2011 at 4:12 pm

Great article Lee! Look forward to more articles like this.

Reply

Matt Hall says:

March 25, 2011 at 8:43 pm

Nicely done! Love your podcast, and I share with students and staff here at Vanderbilt.
Great work!

Reply

Joe Bozniak says:

April 19, 2012 at 3:09 pm

So, your trusting computer logs (say a web browser history) to blame someone for some
action but then are willing to trust alternate evidence on the same computer that the
clock was tampered with? Well, I would just tampler with the browser logs first if I was
going to frame you and then never need to mess with the clock.

Reply

Lee Whitfield says:

April 19, 2012 at 3:33 pm

I can understand your point but think you’ve got the wrong end of the
stick. I looked at all of these items (and more) in order to show that the
clock had NOT been tampered with. It would be foolish to look at only
one piece of evidence to draw conclusions. You would have to look at
several items for corroboration or disproving of your hypotheses.
Editing the internet history and browser logs would be a clever way of
manipulating evidence but that would also leave evidence that would
need to be cleaned up. Think of the time stamps inside the actual pages,
the time stamps of the cache files created, if you opened the file/folder
in Windows you have registry entries showing the date and time you
access those files for manipulation, you have the last-write times of the
history logs… as you can see the list goes on.
I’m not sure if it is possible to completely hide the evidence of
manipulation. Windows records so much for every single action that you’d
need expert knowledge of the system, and a lot of time, to clean up your
access afterwards.

Reply
 Leave a Reply

Comment

Name

Email

Website

Items by Category Items by Month Recent Posts Recent Comment

Items by Category Items by Month Deleted vs “Deleted” Lee Whitfield on Deleted vs

Select Category Select Month My New Company “Deleted”
Awards Nomination Closing Lee Whitfield on Contact Us
Date and News Josh Williams on Contact Us
MacOS Timestamps from Nanni Bassetti on Deleted
Extended Attributes and vs “Deleted”
Spotlight Lee Whitfield on Deleted vs
More MacOS File Movements “Deleted”

Forensic 4cast - Discussing issues relating to digital forensics Google+

Colorway Wordpress Theme by InkThemes.com

Podcast powered by podPress v8.8.10.17