Detecting CMOS Clock Changes

During my short career in digital forensics I have seen and heard a number of defences. One that I have seen emerge a number of times is the claim that one of the parties has been ‘framed’ or ‘set-up’ by someone by changing the system clock and doing some nefarious deed before setting the clock back to the correct time.

If, for example, someone did this on my computer and browsed to some inappropriate website, all the internet history records and cached files would reflect the changed time. To the casual observer, a judge, or a jury it may look like I was responsible. Even a seasoned forensic investigator may be fooled into believing that it was I that did the deed. Without digging deeper each of us could be fooled by such trickery.

Dependent on your position how would you support/dismiss such a claim? I’ve given this a bit of thought recently and come up with a few ideas.

Event Logs

These are the superb resources for many reasons but we’re going to focus specifically on the time stamps for the entries.

Event logs in Windows XP has a default size of 512KB. In both Vista and Windows 7 the default size on event logs is 20MB. In either circumstance the logs act the same way – they fill up in order of events. Once the log is full it goes back to the beginning implementing a first-in-first-out overwriting process of old records.

So, what would you expect to see if the system clock had been changed?

Depending on the software and services running on the computer the event logs could generate hundreds of entries every day. This means that we should be able to easily identify any discrepancies in the logs. As the logs are written in order of occurrence we should be able to tell if the system clock has been changed by parsing the event logs themselves and ordering them by file offset. If the dates suddenly jump backwards and then forwards again it is a good indication that the system clock has been changed. Conversely if you see no such activity it is a good indication that the system clock has not been changed.

If someone changed the system clock from inside Windows (in Vista and Windows 7) then the clock change is also recorded in the event log as event ID 1. Such entries will appear as follows:

The system time has changed to 01/01/2011 08:51:43 from 15/01/2011 08:51:43.

Link Files

If files were accessed or created during a suspected changing of the system clock then evidence may also be found in the link files on the computer.

Harry Parsonage has done a lot of work on link files. As part of his research he has found that link files contain a sequence value. This value is incremented when the operating system is started/restarted. This means that all link files from a single session will retain the same sequence value, when the computer is rebooted the sequence value increases.

If the computer clock has not been changed then parsing the link files and ordering them by their sequence value should also mean that the links are in date order. If, in ordering the link files by sequence value, we see that the dates do not align it is fair to say that the system clock has been changed.

More information on Harry’s research can be found here: http://computerforensics.parsonage.co.uk/downloads/TheMeaningofLIFE.pdf

EDIT: After speaking to Harry I need to make a small correction. It appears as if the sequence value is only consecutive in XP. Apparently they were changed in Vista and Windows 7.

Restore Points

Since Windows XP restore points have been used by Microsoft. They have changed somewhat since being introduced but they essentially serve the same purpose. In each version of Windows the restore points are stored in the folder “System Volume Information”.

In XP the restore points are named incrementally. Each restore point will be contained in a folder with a naming convention of “RP##” where “##” is the incremental restore point number. If a restore point was created during a clock change there will be anomalies. What an analyst would see is ordered restore points but, when looking at the “RP” folders in order of creation datesthe incremental numbers would not match up. If this is the case then it is likely that the system clock has been changed.

The same thing goes for Vista and Windows 7. Although the restore points (shadow volumes or difference files) are different the same principles would apply. If a restore point was created during a clock change the order of the shadow volumes would be changed. The file named {3808876b-c176-4e48-b7ae-04046e6cc752} is an index of shadow volumes and is kept in order of creation, meaning that the most recent shadow volume will be last in the file. Each of these is recorded with the creation time of the difference file so an analyst could simply look at the creation times of the difference files and, if any are out of order it is evidence that the system clock has been changed.

HTML

A number of web pages include date and time stamps. The most obvious of these are forums, but time stamps are also found in web-based email, blog entries, Facebook, Twitter, and so on. Each of these would provide a clear indication of clock adjustment when looking at the creation and download dates of the data.

Others

Each of these provide a very systematic method for detecting clock manipulation but there are other ways for detecting such things. For example, a prefetch file may contain information about accessing specific files that may not have existed on the computer at the changed time, or an email message header will contain information about the date and time sent, HTTP response headers also have time information taken from the web server, etc.

Summing Up

If someone claims that the system clock has been changed we can provide substantial evidence supporting or refuting such claims. It may well be the case that a computer clock has been changed but it is then up to us to provide evidence to support our claims and not just suggest that it may have happened.

Do you have any other methods for detecting clock changes? Please feel free to add them in the comments.

Forensic 4cast Mini-Shows

Happy new year everyone. I hope everyone had a wonderful Christmas and has made some good resolutions for the coming year (and. moreover, that you have not yet broken them).

We, at Forensic 4cast, like to come up with fresh ideas once in a while to stop the old show getting stale. Some of these ideas are widely heralded as brilliant (the Forensic 4cast Awards for example), others don’t get the kind of backing we’d like and they fall by the wayside (may the forum rest in peace). The latest of these ideas came to me a few days ago. I’ve spent time thinking about it and came to the conclusion ‘Why not?’

Each episode of Forensic 4cast gets, on average, 1500 downloads per month. Its not a huge number but it is a good start. Sadly, due to family and other commitments, I’m not in a position to record and edit a new episode of 4cast more than once per month. However, I do have a near-unlimited amount of storage and bandwidth for others in the forensic field to use. Do you have something to say? Do you have a microphone? Why not record something and send it my way. If its good, we’ll put it in the feed for everyone to download and listen.

The kinds of things that I’m looking for are:

• product reviews
• cheap investigation methods and software
• forensic news
• research results
• new techniques
• interviews

Do not think that, just because your idea does not fit into any of the items listed that I won’t consider your input. Far from it.

I don’t want to get bogged down with too much so I kindly ask that any participants limit these mini-episodes to 5-10 minutes in size. They can be video or audio, just make sure that they are in a widely used format such as mp4 for video and mp3 for audio.

If you are interested please let me know either in the comments, or by any of the methods of communication set out in our ‘Contact Us’ page.