Hi Dave,
thanks. i saw in a TV reconstruction of a murder investigation
in nz where the husband tampered with the system time to show
that the computer was used during the murder to confuse the
investigator. The computer forensic examiner was able to show
that the system time was changed and reset to the correct time
later(but never said how as this is a their trade secret).
Something was mentioned about the system time changes were
saved/logged somewhere. Is it possible that system time change
is logged by the system? Gus
That may be logged with aggressive auditing enabled perhaps. Not
certain. Suggest you look at auditing Privilege Use and System
Events as a start. And assuming NT5.x
But in theoretical terms, any account with authority to change the
system time might also be able to clear the audit logs... YMMV.
Since it appears the "husband" had full local access nearly
anything is possible...including forgetting to clear audited
events. <G>