Hiya Guys / Gals,
I would be very grateful for any feedback on the following Confirming the date and time of a system clock from an Imaged disk.
I have imaged the drive using ImageMasster and am working from a USB connection using FTK.
Is there a way that I can interrogate the 'registry' if that's right using FTK to determine what date and time was set and possibly if this was altered at any point?
I believe the suspect disk's OS was Windows 98 - that’s another thing, can I find out the complete spec of a system somewhere using FTK?
As you can probably guess, I’m a little inexperienced, so please be patient )
Regards, Icon_serf
The OS version is available in the Registry…I'm not familiar enough with Win98 to give you the full path, however.
You can get TimeZoneInformation from the Registry; on 2K and above, you can check the EventLog for (a) eventIDs relating to the change of system time, and (b) disparities in the times recorded based on event numbers.
hiya thanks for the reply, however where would I navigate to the system log file, and event viewer in windows 98, having a little trouble here )
Does the system log identify what has / hasnt been changed in category - i.e. times / dates / etc?
Cheers,