±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 2 Overall: 34321
New Yesterday: 7 Visitors: 131

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

RSS Feed Widget

±Latest Webinars

Verifying date/time settings when BIOS is unaccessible

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Go to page 1, 2  Next 
  

Verifying date/time settings when BIOS is unaccessible

Post Posted: Tue May 18, 2010 9:59 am

Hi Guys

What alternative methods have you used to prove/disprove the date and time settings of the suspect machine are accurate. I need to evidence some internet history between some dates, so it relies heavily on the date and time settings.

I have tried using initialse case processor in Encase but for some reason it won't run, the progress bar (bottom right) fills quickly and nothing happens.

Any advice would be greatly appreciated.  

oreo
Newbie
 
 
  

Re: Verifying date/time settings when BIOS is unaccessible

Post Posted: Tue May 18, 2010 10:14 am

I have a not so technical suggestion:

I have heard that someone has previously used a custom Google logo, such as one to commemorate a famous person's birthday or a national holiday. By finding out from Google when this logo was originally uploaded they could prove that it could not have appeared on the machine before then. A tenuous link I know and of course is unlikely to give you an accurate result time wise.

Otherwise if there are any news items in the cache, say from the MSN homepage or BBC or whatever you may be able to check the date from them.
_________________
_________________________________________
The only people who find what they are looking for
in life are the fault finders. 

kiashi
Senior Member
 
 
  

Re: Verifying date/time settings when BIOS is unaccessible

Post Posted: Tue May 18, 2010 10:57 am

What do you mean that the BIOS is unaccessible? Is it password protected, don't know the access sequence, or is it faulty.

At any rate, whenever I can't access the BIOS of a system, I boot it with a linux CD to check the system clock.  

miket065
Senior Member
 
 
  

Re: Verifying date/time settings when BIOS is unaccessible

Post Posted: Tue May 18, 2010 12:43 pm

Are you saying you only have the HDD image as evidence?  

douglasbrush
Senior Member
 
 
  

Re: Verifying date/time settings when BIOS is unaccessible

Post Posted: Tue May 18, 2010 1:24 pm

You may have the time and date the computer was seized, the time and date of the last accessed files, whether the computer was set to synch with an Internet Clock or Domain Clock (and then make sure it is connected to the Internet or Domain as necessary), last shutdown time (sometimes), last log on time, registry entries for time zones etc. You cannot prove it is accurate but you may be able to say there is no known reason to doubt the accuracy.

Regards  

GlosSteveC
Member
 
 
  

Re: Verifying date/time settings when BIOS is unaccessible

Post Posted: Tue May 18, 2010 5:06 pm

Look through the web pages in the cache there are invariably pages in there that contain embedded dates which can be compared to the created time of the web page in the cache.

There are sometimes web pages whose name or path includes a unix time stamp, the old example of this was hotmail web pages.

It might be possible to look at email headers for incoming emails. I had one case where I had to prove the accuracy of the clock and found a visit to a web page in a cache which was to register for some site, followed by the receipt of the email confirming the registration with a link to click in the email. There was enough information between the internet history and the email headers to get a reasonable measure of how accurate the clock was.

H
_________________
regards
Harry Parsonage 

harryparsonage
Senior Member
 
 
  

Re: Verifying date/time settings when BIOS is unaccessible

Post Posted: Wed May 19, 2010 5:42 pm

My suggestion won't be of much help if you are looking into very old dates,but just to check if "current" date and time are rigth,it would be useful to know when the computer was last used,and check it with NTUser MAC times.  

iruiper
Senior Member
 
 

Page 1 of 2
Go to page 1, 2  Next