Changing the BIOS Clock Essay Example | Topics and Well Written Essays - 1000 words

Changing the BIOS Clock - Essay Example Event logs in Windows 7 and Vista have a total default size of 20Mb while in Windows XP the total default size on event logs is 512 KB. The event logs work in the same way in Windows XP, Windows 7 and Vista as they tend to fill up according to the order of events. The log will go back to the beginning when it is filled up with events. In such a case, it implements an overwriting process based on the old events. In instances where the BIOS clock has been changed, discrepancies in the order of events will be evident. Logs are recorded according to the time they occurred. Ordering entries of event logs by file set and parsing the event logs is a practice that will determine whether system clock has been altered. When the dates jump backward and forward again, it provides evidence that the system clock has been altered. On the other hand, if no activity is recorded when parsing and ordering the events log entries, it indicates the system clock has not been altered. If the BIOS clock has been altered in Windows 7 or Windows Vista, the altered time will also be recorded in the event log as event ID 1. Evidence regarding the creation or accessing files during changing of the BIOS clock can be found in a computer within the link files. Link files usually contain recorded dates and time when files had been accessed. The values are recorded when the operating system starts to operate at the beginning of a session. All link files from the same session will have a similar sequence value (Whitfield 2012 p.4). Sequence numbers within object IDs will enable arranging of files in a chronological order. In cases where the computer clock has been altered, the times, as well as the dates, will be anomalous. In Windows XP, the sequence number will be recorded when the system is booted so, in instances where the clock has been tampered with and moved forward and backward, evidence may be obtained from the sequence value as the system would have recorded the order in which specific files had been accessed originally. The system records dates and times when a computer is booted at the beginning of the session. An object ID will be created, and a similar date will be recorded for all object IDs created in the boot session. The sequence value will also be the same in that booting session. In cases where the clock has been changed to an earlier time period, an increment will occur in the sequence value in the next booting session while the date in the object ID will appear out of synchronization (Parsonage, 2008 p 15). References Parsonage, H. 2008. The Meaning of Link Files in Forensic Examinations. Retrieved from http://computerforensics.parsonage.co.uk/downloads/TheMeaningofLIFE.pdf Whitfield, L. 2012. Detecting CMOS Clock Changes. Retrieved from http://www.forensic4cast.com/category/tech/ DQ 2: Honey Net Challenge Question 1: Who is Joe Jacob’s supplier of marijuana and what is the address listed for the supplier? Joe Jacob’s supplier of marijuan a is a person named Jimmy Jungle and his address is identified as 626 Jungle Avenue #2 Jungle, New York 11111. Evidence regarding the name of Joe Jacob’s supplier can be obtained from a letter in the floppy disk. The letter is a deleted word document from Joe Jacob to his supplier of marijuana. In the letter, the address and the name of the supplier can be clearly seen.