SANS Institute has published a whitepaper by Xiaoxi Fan titled “Detection of Backdating the System Clock in Windows”. This paper presents three categories of related objects, showing how they work together in detecting system clock backdating: (1) system artifacts (e.g. Windows event log, $MFT, $Logfile, $UsnJrnl, Volume Shadow Copy, $STDINFO and $FILENAME timestamps, and Windows update logs); (2) application artifacts (e.g. antivirus update log and cloud storage sync log); and (3) Internet artifacts (e.g. Internet history and email). The paper intends to put together these artifacts and serve as a reference for investigators to detect system clock backdating.
-
Looking at Microsoft Teams from a DFIR Perspective
David Cowen’s Sunday Funday is back, so why not to take part in this fun? Last Sunda… -
Forensic Walkthrough: QBot Infection
For some reason, there are not so many posts on forensic examination of hosts infected wit… -
SQM: New Evidence of Execution Source?
Forensicating one of compromised hosts during our recent incident response activities we h…
Load More Related Articles
-
Smartphone Forensics Investigations: An Overview of Third Party App Examination
There are millions of applications that can be used on a smartphone. This mini webcast wit… -
Forensics and Incident Response In The Cloud
The purpose of this webinar is to delve into one of the most challenging aspects of workin… -
Building your Android Application Testing Toolbox
This webcast explores the following topics: 1) Choosing the best test device 2) Rooting yo…
Load More In Webinars
Comments are closed.
