Loading ...
Sorry, an error occurred while loading the content.

Re: [linux_forensics] File Dates and Times

Expand Messages
  • Enda Cronnolly
    ... regarding ... I know the modern Phoenix bios tracks this, caused a problem with some eval software licence from phoenix last year. However, whether changed
    Message 1 of 11 , Feb 1, 2004
    • 0 Attachment
      > I appreciate this thread was answered but I have a stupid question
      regarding
      > time/date stamps of files.
      >
      > Is there a way to figure out when the computer clock was changed?

      I know the modern Phoenix bios tracks this, caused a problem with some eval
      software licence from phoenix last year.

      However, whether changed in the bios or in windows, I don't know where you'd
      get evidence of that change. Application log anomolies are probably your
      best bet, although windows has never been regarded as maintaining useful
      logs of anything. Something like IIS would have a http log entry for server
      start, and if there was a subsequent hit an hour previously, then that would
      probably be a good hint at a clock change. Unlikely to find IIS on win me
      though.... Msn messenger / ICQ / AIM chat logs would be a better shot,
      provided they log startup events....

      -Enda.
    • IanC
      I appreciate this thread was answered but I have a stupid question regarding time/date stamps of files. Is there a way to figure out when the computer clock
      Message 2 of 11 , Feb 1, 2004
      • 0 Attachment
        I appreciate this thread was answered but I have a stupid question regarding
        time/date stamps of files.

        Is there a way to figure out when the computer clock was changed?

        Reason being I'm looking at a laptop here & the user frequently drove a
        short distance into a different timezone and he did often (but not always)
        manually adjust the computer clock so I am having real difficulty here
        examining the drive. (Mainly in regards to where he was and when, on a
        particular time of various day's).

        Thus far I'm trying to compute the received header times of emails from the
        received line times to his computer time and think that will work - but know
        this will take hours and hours if not weeks to do properly.

        Am I missing something or is there an easier way? Such as a computer log
        file I don't know about?

        File system is fat 32 with ME installed.


        Best Regards - Ian
        - - - - - - - - - - - - - - - - - -
        Data Recovery/Computer Forensics
        Specialist in the World Wide Web
        Including Email Investigations
        Certified Expert Witness
        http://www.PI-Supply.com
        http://www.TracingEmails.com
        - - - - - - - - - - - - - - - - - -
        Director & Team Member of MissingKIN.
        "Dedicated to finding missing and abducted children"
        http://www.MissingKIN.com
        - - - - - - - - - - - - - - - - - -
        Proudly Tracing Pedophiles.. For Free!
      • Rich Thompson
        Try finding back-up copies for the registry, depending on when they were made you might find the evidence of him changing the times.... I think some registies
        Message 3 of 11 , Feb 3, 2004
        • 0 Attachment
          Try finding back-up copies for the registry, depending
          on when they were made you might find the evidence of
          him changing the times....

          I think some registies store like 5x back-ups for
          mooph purposes....

          Rich

          --- IanC <saladin@...> wrote:
          >
          > I appreciate this thread was answered but I have a
          > stupid question regarding
          > time/date stamps of files.
          >
          > Is there a way to figure out when the computer clock
          > was changed?
          >
          > Reason being I'm looking at a laptop here & the user
          > frequently drove a
          > short distance into a different timezone and he did
          > often (but not always)
          > manually adjust the computer clock so I am having
          > real difficulty here
          > examining the drive. (Mainly in regards to where he
          > was and when, on a
          > particular time of various day's).
          >
          > Thus far I'm trying to compute the received header
          > times of emails from the
          > received line times to his computer time and think
          > that will work - but know
          > this will take hours and hours if not weeks to do
          > properly.
          >
          > Am I missing something or is there an easier way?
          > Such as a computer log
          > file I don't know about?
          >
          > File system is fat 32 with ME installed.
          >
          >
          > Best Regards - Ian
          > - - - - - - - - - - - - - - - - - -
          > Data Recovery/Computer Forensics
          > Specialist in the World Wide Web
          > Including Email Investigations
          > Certified Expert Witness
          > http://www.PI-Supply.com
          > http://www.TracingEmails.com
          > - - - - - - - - - - - - - - - - - -
          > Director & Team Member of MissingKIN.
          > "Dedicated to finding missing and abducted children"
          > http://www.MissingKIN.com
          > - - - - - - - - - - - - - - - - - -
          > Proudly Tracing Pedophiles.. For Free!
          >
          >
          >
        • IanC
          Thanks Rich & Enda for the assistance. There was no back-up of reg settings that assisted here and there were no Instant messenger apps (or other apps) logging
          Message 4 of 11 , Feb 3, 2004
          • 0 Attachment
            Thanks Rich & Enda for the assistance.

            There was no back-up of reg settings that assisted here and there were no
            Instant messenger apps (or other apps) logging on at boot or Internet
            connection.

            I did manage to figure out most of the time changes by the received lines in
            email headers he downloaded from his ISP as he logged into the same ISP mail
            server each time and I compared them to his email client receiving them.
            (Which was Outlook,, and a long process)!

            At this stage though I'm not 100% sure of his location all of the time and
            was wondering if ISP's retain logs of the numbers that call them to connect
            per user? If so a subpeona would reveal this but I've not seen such info
            contained within any subpeona issued that I've been involved with.

            If this is possible at all would you subpeona the ISP or the Telco the ISP
            use's,, if the Telco where do you get the number to subpeona?


            Best Regards - Ian
            - - - - - - - - - - - - - - - - - -
            Data Recovery/Computer Forensics
            Specialist in the World Wide Web
            Including Email Investigations
            Certified Expert Witness
            http://www.PI-Supply.com
            http://www.TracingEmails.com
            - - - - - - - - - - - - - - - - - -
            Director & Team Member of MissingKIN.
            "Dedicated to finding missing and abducted children"
            http://www.MissingKIN.com
            - - - - - - - - - - - - - - - - - -
            Proudly Tracing Pedophiles.. For Free!
          • Christopher Bell
            From my understanding, they should have a list of where he or she dial in from. They would have the IP addresses from the server and the phone number in the
            Message 5 of 11 , Feb 3, 2004
            • 0 Attachment
              From my understanding, they should have a list of where he or she dial in from. They would have the IP addresses from the server and the phone number in the area. I have heard of instances where the FBI did the same thing to determine where log in from.

              Christopher D. Bell

              IanC <saladin@...> wrote:
              Thanks Rich & Enda for the assistance.

              There was no back-up of reg settings that assisted here and there were no
              Instant messenger apps (or other apps) logging on at boot or Internet
              connection.

              I did manage to figure out most of the time changes by the received lines in
              email headers he downloaded from his ISP as he logged into the same ISP mail
              server each time and I compared them to his email client receiving them.
              (Which was Outlook,, and a long process)!

              At this stage though I'm not 100% sure of his location all of the time and
              was wondering if ISP's retain logs of the numbers that call them to connect
              per user? If so a subpeona would reveal this but I've not seen such info
              contained within any subpeona issued that I've been involved with.

              If this is possible at all would you subpeona the ISP or the Telco the ISP
              use's,, if the Telco where do you get the number to subpeona?


              Best Regards - Ian
              - - - - - - - - - - - - - - - - - -
              Data Recovery/Computer Forensics
              Specialist in the World Wide Web
              Including Email Investigations
              Certified Expert Witness
              http://www.PI-Supply.com
              http://www.TracingEmails.com
              - - - - - - - - - - - - - - - - - -
              Director & Team Member of MissingKIN.
              "Dedicated to finding missing and abducted children"
              http://www.MissingKIN.com
              - - - - - - - - - - - - - - - - - -
              Proudly Tracing Pedophiles.. For Free!






              Yahoo! Groups SponsorADVERTISEMENT


              ---------------------------------
              Yahoo! Groups Links

              To visit your group on the web, go to:
              http://groups.yahoo.com/group/linux_forensics/

              To unsubscribe from this group, send an email to:
              linux_forensics-unsubscribe@yahoogroups.com

              Your use of Yahoo! Groups is subject to the Yahoo! Terms of Service.




              ---------------------------------
              Do you Yahoo!?
              Yahoo! SiteBuilder - Free web site building tool. Try it!

              [Non-text portions of this message have been removed]
            • The Dog's Bollix
              Ian, I d supoena the telco on the receiving or ISP s side. They ll have records for the dial-in number, Most Telco s retain this information (if you recall
              Message 6 of 11 , Feb 4, 2004
              • 0 Attachment
                Ian,

                I'd supoena the telco on the receiving or ISP's side. They'll have records for the dial-in number, Most Telco's retain this information (if you recall that was my issue on another group - identifying the trunk numbers - that was related to a subpoena for calls recevied).

                Good luck with it....

                Tony.

                IanC <saladin@...> wrote:
                Thanks Rich & Enda for the assistance.

                There was no back-up of reg settings that assisted here and there were no
                Instant messenger apps (or other apps) logging on at boot or Internet
                connection.

                I did manage to figure out most of the time changes by the received lines in
                email headers he downloaded from his ISP as he logged into the same ISP mail
                server each time and I compared them to his email client receiving them.
                (Which was Outlook,, and a long process)!

                At this stage though I'm not 100% sure of his location all of the time and
                was wondering if ISP's retain logs of the numbers that call them to connect
                per user? If so a subpeona would reveal this but I've not seen such info
                contained within any subpeona issued that I've been involved with.

                If this is possible at all would you subpeona the ISP or the Telco the ISP
                use's,, if the Telco where do you get the number to subpeona?


                Best Regards - Ian
                - - - - - - - - - - - - - - - - - -
                Data Recovery/Computer Forensics
                Specialist in the World Wide Web
                Including Email Investigations
                Certified Expert Witness
                http://www.PI-Supply.com
                http://www.TracingEmails.com
                - - - - - - - - - - - - - - - - - -
                Director & Team Member of MissingKIN.
                "Dedicated to finding missing and abducted children"
                http://www.MissingKIN.com
                - - - - - - - - - - - - - - - - - -
                Proudly Tracing Pedophiles.. For Free!






                Yahoo! Groups SponsorADVERTISEMENT


                ---------------------------------
                Yahoo! Groups Links

                To visit your group on the web, go to:
                http://groups.yahoo.com/group/linux_forensics/

                To unsubscribe from this group, send an email to:
                linux_forensics-unsubscribe@yahoogroups.com

                Your use of Yahoo! Groups is subject to the Yahoo! Terms of Service.



                ---------------------------------
                Do you Yahoo!?
                Yahoo! SiteBuilder - Free web site building tool. Try it!

                [Non-text portions of this message have been removed]
              Your message has been successfully submitted and would be delivered to recipients shortly.