Anti-Forensics
Clear Browser Artifacts
Clear Command History
Clear Operating System Logs
Decrease Privileges
Delete User Account
Deletion of Volume Shadow Copy
Disk Wiping
File Deletion
File Encryption
Hide Artifacts
Log Tampering
Modify Windows Registry
Physical Destruction of Storage Media
Physical Removal of Disk Storage
Steganography
System Shutdown
Timestomping
Tripwires
Uninstalling Software
Use of a Virtual Machine
Windows System Time Modification
- ID: AF021
- Created: 07th April 2025
- Updated: 07th April 2025
- Platform: Windows
- Contributor: David Larsen
Windows System Time Modification
The subject modifies the Windows system time in an attempt to obscure the timestamps of any system artifacts that may provide value to investigators.
Prevention
| ID | Name | Description |
|---|---|---|
| PV043 | Restrict Windows System Time Modification | Using Group Policy on Windows it is possible to block the ability for users to modify the system date/time.
In the Group Policy Editor, navigate to:
Remove any users or groups that do not need this permission. |
| PV044 | Windows Time Service Synchronization | The Windows Time service (W32Time) synchronizes the date and time for all computers managed by Active Directory Domain Services (AD DS). While this does not prevent local system tampering, it ensures that any changes are temporary and will only last until the next synchronization.
Alternatively, hosts can be configured to use an internal or external Network Time Protocol (NTP) server, that can synchronize the system time. |
Detection
| ID | Name | Description |
|---|---|---|
| DT109 | Windows Event Log, System Time Modification | Windows Event ID 4616 within the Security log is generated when the system time is modified. This log contains key information for investigators:
|