System Time Modification

A subject modifies the Linux system time, time zone, hardware clock, or time synchronization configuration to obscure the chronology of activity relevant to an insider threat investigation. This behavior may affect timestamps associated with file creation, file modification, authentication records, shell history, service execution, package activity, scheduled jobs, and other host-based artifacts used to reconstruct subject activity.

On Linux systems, this behavior may involve commands or utilities such as timedatectl, date, hwclock, or changes to time synchronization services such as NTP, Chrony, or systemd-timesyncd.

A subject modifies the macOS system date, time, time zone, network time configuration, or time server settings to obscure the chronology of activity relevant to an insider threat investigation. This behavior may affect timestamps associated with file system artifacts, application activity, shell commands, authentication events, endpoint telemetry, browser history, document access, and other evidence used to reconstruct subject activity.

On macOS systems, this behavior may involve manual changes through System Settings or command-line modification using administrative utilities such as systemsetup or date. The subject may also disable automatic time synchronization, alter the configured network time server, or change the system time zone to introduce ambiguity into local timestamps.

A subject modifies the Windows system time, time zone, or time synchronization behavior to obscure timestamps associated with local artifacts, event logs, file activity, process execution, or other evidence relevant to an insider threat investigation.

On Windows systems, this behavior may involve manual date and time changes, abuse of the “Change the system time” user right, modification of Windows Time service behavior, or use of administrative tooling to alter clock settings.