Detecting System Backdating in Windows

Timestamps provide valuable information about what programs and files are being used on a Windows OS. They are updated in accordance with the BIOS or through the OS clock and provide a detailed sequence of events that have taken place on a system.

Timestamps are used to reconstruct events on a system, supporting the efforts of a forensics examiner or incident response team. That being said, if a system clock is inaccurate, the reliability of the timestamp attributes will be questionable.

In digital forensics, evidence concerning date and time is obviously a fundamental part of investigations. System backdating, where a system’s clock is set back manually, is a common form of anti-forensics. For a forensics examiner, it is critical to be able to identify the reliability of date and time in order to create an accurate timeline of events. The problem is that there is no simple way to detect whether or not the system clock has been backdated or tampered with, particularly when it was later reset to the correct time.

There are three main categories of related objects:

1.) System artifacts – these include the Windows event log, the Volume Shadow Copy (which is a service that runs once per day and keeps a record or copy of changes), $MFT, $Logfil, $UsnJrnl, $STDINFO and $FILENAME timestamps, as well as Windows update logs.

The easiest way to tell if the system clock has been tampered with is by examining the event logs. However, Windows may have overwritten old event records with newer ones OR an attacker/user may have deleted them. Note: if an event log record was deleted, it is possible to find out by recovering them from unallocated space.

Event logs are recorded with a Record No. & Date and Time. The most recent event record is assigned the largest Record No. — that is to say, as the Record No. increases, the Date and Time columns should increase as well. By comparing these two records in the logs, we can potentially determine if the system clock has been backdated (e.g. if the Record No. increases but the Date and Time appears backdated).

Source: Fan, X. (2019). Detection of Backdating the System Clock in Windows.

A volume shadow copy (VSC) found out of sequence may indicate backdating as well. Volume shadow copies created within a close time range will have similar names. If a similar named shadow copy appears out of place (e.g. grouped with different set of similar names), this may indicate that this volume shadow copy was created with a backdated system clock.

Source: Fan, X. (2019). Detection of Backdating the System Clock in Windows.

2.) Application artifacts – an example of an application artifact may be a system’s antivirus update log or an associated cloud storage sync log

Antivirus software will maintain update logs separate from the Windows system logs. For example, Symantec’s LiveUpdate will record all activities and write the time according to the system clock. This record will reveal when a system clock has been backdated. The same is true with cloud storage syncs (e.g. Google Drive’s Sync Log).

Symantec AV Log, Source: Fan, X. (2019).

3.) Internet artifacts – these include a user’s Internet history or e-mail history.

Browser history for Chrome and Firefox are contained in a SQLite databases with the times (according to the local system time) recorded for each website visited. Significant differences in the time sequences of web browsing indicate backdating. The same is true for a web browser’s download history (e.g. for Chrome it is stored in: %APPDATA%\Local\Google\Chrome\User Data\Default\History).

Chrome Web Visits log with evidence of system backdating. Source: Fan, X. (2019).

Internet cookies may also contain timestamps, however, while some represent the local system time, others represent the server side time. Server side timestamps include a cookie creation time and a last access time. By comparing these timestamps, an examiner may be able to determine whether or not system backdating has taken place.

Similarly, e-mail headers contain server generated timestamps. If an examiner finds the msg/eml file on the computer, the MAC (modified, accessed, created) time should not be any earlier than the timestamp of the e-mail header.

Closing Thoughts

Tampering with a system clock is a common form of anti-forensics. An examiner may use these three main categories (System artifacts, Application artifacts, and Internet artifacts) as references in a Windows environment to triangulate evidence of system clock backdating.