tag:blogger.com,1999:blog-9518042.post112794576496901431..comments2024-03-19T07:46:20.437-05:00Comments on Windows Incident Response: System ClockUnknownnoreply@blogger.comBlogger4125tag:blogger.com,1999:blog-9518042.post-16617461675536448262007-10-10T11:22:00.000-05:002007-10-10T11:22:00.000-05:00The only thing worse than the product spam is legi...The only thing worse than the product spam is legit posters taking the time and effort to [rant]. ;-)<BR/><BR/>> Wouldn't it at least give us an <BR/>> approximate time that the Date <BR/>> and Time Control Panel Applet <BR/>> was last launched? <BR/><BR/>It does exactly that...however, I've launched the applet several times without ever changing the date or time...I've simply checked the calendar. <BR/><BR/>Depending on how long the system time was changed for, and if you're looking at an XP system, you may find evidence of the time change in the Restore Points...consecutive RPs may have non-consecutive times. On Windows systems in general, you may want to check the Event Logs, not only for an events relating to a time change, but also for the sequence of event IDs correlated with the event record generated and written times.<BR/><BR/>> BTW, I should be getting your <BR/>> book sometime this week - and <BR/>> the registry chapter is the <BR/>> first place I'm headed. ;-)<BR/><BR/>Good to hear! Recommend it to your friends, and everyone you meet! That way, if the book is popular enough, the publisher will want a second edition...and you should see some of the stuff I've got to add!<BR/><BR/>HH. Carveyhttps://www.blogger.com/profile/08966595734678290320noreply@blogger.comtag:blogger.com,1999:blog-9518042.post-50222746438755153232007-10-10T10:01:00.000-05:002007-10-10T10:01:00.000-05:00[rant == ON] I wish all of the idiots leaving post...[rant == ON] I wish all of the idiots leaving posts for products or their sites would go away and stay away. [rant == OFF]<BR/><BR/>This is an interesting subject that deserves some attention. In fact, it is a question that I am currently experimenting with myself. After the new entry is added to the UserAssist key and we have an LWT for it, why do you feel that it isn't all that definitive? Wouldn't it at least give us an approximate time that the Date and Time Control Panel Applet was last launched? <BR/><BR/>If I'm trying to prove when that happened (because I believe that someone has changed the system time and then modified some files to help cover their tracks), it seems valuable to me. Perhaps there is some other way of limiting my ability to prove this or the LWT in and of itself, is insufficient. If so, please elaborate.<BR/><BR/>BTW, I should be getting your book sometime this week - and the registry chapter is the first place I'm headed. ;-)Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-9518042.post-1130055377326441112005-10-23T03:16:00.000-05:002005-10-23T03:16:00.000-05:00shopping site resources are tough to find. Good po...shopping site resources are tough to find. Good post though. Have a look here if you would <A HREF="http://www.sportcompactracing.net/info/?content=Shopping" REL="nofollow">shopping site</A>Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-9518042.post-1128539789939562262005-10-05T14:16:00.000-05:002005-10-05T14:16:00.000-05:00What about http header responses from "known" serv...What about http header responses from "known" servers like Google, is it possible to retrieve them from cache or something ?Anonymousnoreply@blogger.com