SANS Institute has published a whitepaper by Xiaoxi Fan titled “Detection of Backdating the System Clock in Windows”. This paper presents three categories of related objects, showing how they work together in detecting system clock backdating: (1) system artifacts (e.g. Windows event log, $MFT, $Logfile, $UsnJrnl, Volume Shadow Copy, $STDINFO and $FILENAME timestamps, and Windows update logs); (2) application artifacts (e.g. antivirus update log and cloud storage sync log); and (3) Internet artifacts (e.g. Internet history and email). The paper intends to put together these artifacts and serve as a reference for investigators to detect system clock backdating.
-
Memory forensics and the Windows Subsystem for Linux
The Windows Subsystem for Linux (WSL) was first included in the Anniversary Update of Micr… -
Breaking Full Disk Encryption
Full Disk Encryption (FDE) may be rather useful as a defense mechanism against potential t… -
How to Put a Qualcomm Phone into EDL Mode
In this post Magnet Forensics talks about Emergency Download (EDL). This is a Qualcomm fea…
Load More Related Articles
-
Webinar on Timeline Forensics
In April 2018 Microsoft updated Windows 10 with a new feature called âTimelineâ. The Timel… -
The Challenges of APFS and How EnCase Can Help
The new Apple File System (APFS) was developed to replace HFS+ and became the default file… -
Threat Intelligence Naming Conventions: Threat Actors, & Other Ways of Tracking Threats
Cyber Threat Intelligence (CTI) analysts must have ways of clustering adversary intrusions…
Load More In Webinars
