|
|
Our Hot Pick: Rising Antivirus 2006 - Certified by TUV & Checkmark! Get 10% discount by entering this coupon code: ONDISCOUNT10
Is there any method by which one can detect a change in the system clock?
May be some place where such sort of log might be maintained and we can
check this log?
The clock was changed 2 months prior to the present date, and then again
restored back to the present date. This activity needs to be proved in the
court of law in a certain case.
Your help will be very helpful to get the innocents out of the case.
Thanks.
|
|
"Mohit" <Mohit[ at ]discussions.microsoft.com> wrote in message
news:A6E26DB5-30E0-4F2D-8A12-697AF3F1E89E[ at ]microsoft.com...
[Quoted Text] > Is there any method by which one can detect a change in the system clock?
> May be some place where such sort of log might be maintained and we can
> check this log?
> The clock was changed 2 months prior to the present date, and then again
> restored back to the present date. This activity needs to be proved in the
> court of law in a certain case.
> Your help will be very helpful to get the innocents out of the case.
> Thanks.
Your only chance would be the event logger, under these conditions:
- One of your three logs goes back far enough.
- It logged some events before and after the crucial time.
If both conditions are met then you will see how the event logger
time stamps go backwards for a short while.
|
|
"Mohit" <Mohit[ at ]discussions.microsoft.com> wrote in message
news:A6E26DB5-30E0-4F2D-8A12-697AF3F1E89E[ at ]microsoft.com...
[Quoted Text] > Is there any method by which one can detect a change in the system clock?
> May be some place where such sort of log might be maintained and we can
> check this log?
> The clock was changed 2 months prior to the present date, and then again
> restored back to the present date. This activity needs to be proved in the
> court of law in a certain case.
> Your help will be very helpful to get the innocents out of the case.
> Thanks.
A further thought: If this is a well-maintained system then
you can retrieve the system logs from your backup medium.
|
|
Mohit <Mohit[ at ]discussions.microsoft.com> wrote:
[Quoted Text] > Is there any method by which one can detect a change in the system clock?
> May be some place where such sort of log might be maintained and we can
> check this log?
> The clock was changed 2 months prior to the present date, and then again
> restored back to the present date. This activity needs to be proved in the
> court of law in a certain case.
> Your help will be very helpful to get the innocents out of the case.
There may be some sort of event looging you can enable that would
constitute strong evidence, but working after the fact, I don't think
there is anything that can prove that these actions took place. Even if
you had such evidence, how would you prove that it had not been tampereed
with?
--
Gary L. Smith
Columbus, Ohio
|
|
Thank you Pegasus. The Event Logger seems to be the only hope.
In case of the system backup, do you know that at which place does the
system saves such sort of information?
Also, does the system makes backup of event Logs by its own ?
Thanks,
Mohit
"Pegasus (MVP)" wrote:
[Quoted Text] >
> "Mohit" <Mohit[ at ]discussions.microsoft.com> wrote in message
> news:A6E26DB5-30E0-4F2D-8A12-697AF3F1E89E[ at ]microsoft.com...
> > Is there any method by which one can detect a change in the system clock?
> > May be some place where such sort of log might be maintained and we can
> > check this log?
> > The clock was changed 2 months prior to the present date, and then again
> > restored back to the present date. This activity needs to be proved in the
> > court of law in a certain case.
> > Your help will be very helpful to get the innocents out of the case.
> > Thanks.
>
> A further thought: If this is a well-maintained system then
> you can retrieve the system logs from your backup medium.
>
>
>
|
|
I'm fairly sure that the event logs get backed up as part of
the System State backup. You would have to restore the
System State to a different location to find out.
"Mohit" <Mohit[ at ]discussions.microsoft.com> wrote in message
news:E6F6BE55-2FAD-413D-8219-D1B263DAF958[ at ]microsoft.com...
[Quoted Text] >
> Thank you Pegasus. The Event Logger seems to be the only hope.
> In case of the system backup, do you know that at which place does the
> system saves such sort of information?
> Also, does the system makes backup of event Logs by its own ?
>
> Thanks,
> Mohit
>
> "Pegasus (MVP)" wrote:
>
>>
>> "Mohit" <Mohit[ at ]discussions.microsoft.com> wrote in message
>> news:A6E26DB5-30E0-4F2D-8A12-697AF3F1E89E[ at ]microsoft.com...
>> > Is there any method by which one can detect a change in the system
>> > clock?
>> > May be some place where such sort of log might be maintained and we can
>> > check this log?
>> > The clock was changed 2 months prior to the present date, and then
>> > again
>> > restored back to the present date. This activity needs to be proved in
>> > the
>> > court of law in a certain case.
>> > Your help will be very helpful to get the innocents out of the case.
>> > Thanks.
>>
>> A further thought: If this is a well-maintained system then
>> you can retrieve the system logs from your backup medium.
>>
>>
>>
|
|
In this case, the legal Forensic lab would be checking about it. We are
giving pointers to the court/forensic lab that this can be done.
Hence, we can only rely on them that the machine is not tampered.
Thanks,
Mohit
"Gary Smith" wrote:
[Quoted Text] > Mohit <Mohit[ at ]discussions.microsoft.com> wrote:
> > Is there any method by which one can detect a change in the system clock?
> > May be some place where such sort of log might be maintained and we can
> > check this log?
> > The clock was changed 2 months prior to the present date, and then again
> > restored back to the present date. This activity needs to be proved in the
> > court of law in a certain case.
> > Your help will be very helpful to get the innocents out of the case.
>
> There may be some sort of event looging you can enable that would
> constitute strong evidence, but working after the fact, I don't think
> there is anything that can prove that these actions took place. Even if
> you had such evidence, how would you prove that it had not been tampereed
> with?
>
> --
> Gary L. Smith
> Columbus, Ohio
>
|
|
I think it's safe to say that there is no way to prove that the described
actions took place -- or that they did not. Changing the system clock
leaves no persistent traces.
Mohit <Mohit[ at ]discussions.microsoft.com> wrote:
[Quoted Text] > In this case, the legal Forensic lab would be checking about it. We are
> giving pointers to the court/forensic lab that this can be done.
> Hence, we can only rely on them that the machine is not tampered.
> Thanks,
> Mohit
> "Gary Smith" wrote:
> > Mohit <Mohit[ at ]discussions.microsoft.com> wrote:
> > > Is there any method by which one can detect a change in the system clock?
> > > May be some place where such sort of log might be maintained and we can
> > > check this log?
> > > The clock was changed 2 months prior to the present date, and then again
> > > restored back to the present date. This activity needs to be proved in the
> > > court of law in a certain case.
> > > Your help will be very helpful to get the innocents out of the case.
> >
> > There may be some sort of event looging you can enable that would
> > constitute strong evidence, but working after the fact, I don't think
> > there is anything that can prove that these actions took place. Even if
> > you had such evidence, how would you prove that it had not been tampereed
> > with?
> >
> > --
> > Gary L. Smith
> > Columbus, Ohio
> >
--
Gary L. Smith
Columbus, Ohio
|
|
|