How to Detect System Time Manipulation

There are several methods to detect time manipulation by e.g. log analysis or examining the MAC dates of the restore point records in the System Volume Information Directory… There is another simple method, I think it can be useful.

Goal is to examine Registry User Assist keys. if a Control Panel Date&Time Application was run there will be information about it.

User Assist Registry Key

User Assist is a function which helps explorer to put most often used applications in Start Menu. To work properly run of any application in windows is recorded in registry. Beside of name and path to application we have also information about number of previous runs, and date of the last run. UserAssist is located in key:

SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\USERASSIST\[GUID]\COUNT

I have placed example screenshot. After lunching Time and Date Control Application – timedate.cpl we will receive something like it. As we can observed records are encrypted with ROT13 encryption algorithm. ROT13 is based on simple rotation of all LETTERS by number of 13 in alphabet. You can encrypt/decrypt it here

ROT13( Timedate.cpl ) = gvzrqngr.pcy

Binary value of record stands for Session ID 0×00, Counter 0×04, Last Access Date 0×08. Counter value is simple decimal but starts from 6 which equal 1 application run. Date value is in standard Windows Date and Time Format so you have to convert it.

You can also confirm last access date with MAC attributes of timedate.cpl file in windows folder.

During most often Time manipulation, user change Time and Date settings, and after making some actions he wanted to do with different time settings, changes It again. In best case we will have counter equal 7 which means two runs of application.

What next? We have suspicious date and time, now we can perform accurate examination of logs from that time…

Detailed description of User Assist in the context of computer investigations, you can find e.g. here