Notifications
Clear all

System Clock Help

3 Posts
2 Users
0 Likes
465 Views
novadonuk
(@novadonuk)
Posts: 26
Eminent Member
Topic starter
 

Hiya Guys / Gals,

I would be very grateful for any feedback on the following Confirming the date and time of a system clock from an Imaged disk.

I have imaged the drive using ImageMasster and am working from a USB connection using FTK.

Is there a way that I can interrogate the 'registry' if that's right using FTK to determine what date and time was set and possibly if this was altered at any point?

I believe the suspect disk's OS was Windows 98 - that’s another thing, can I find out the complete spec of a system somewhere using FTK?

As you can probably guess, I’m a little inexperienced, so please be patient )

Regards, Icon_serf

 
Posted : 15/08/2006 6:38 pm
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

The OS version is available in the Registry…I'm not familiar enough with Win98 to give you the full path, however.

You can get TimeZoneInformation from the Registry; on 2K and above, you can check the EventLog for (a) eventIDs relating to the change of system time, and (b) disparities in the times recorded based on event numbers.

 
Posted : 15/08/2006 7:42 pm
novadonuk
(@novadonuk)
Posts: 26
Eminent Member
Topic starter
 

hiya thanks for the reply, however where would I navigate to the system log file, and event viewer in windows 98, having a little trouble here )

Does the system log identify what has / hasnt been changed in category - i.e. times / dates / etc?

Cheers,

 
Posted : 17/08/2006 4:16 pm
Share: