Detecting Clock Changes Using Cookies

The forensics community has found many ways to identify system clock changes. Lee Whitfield’s article and SANS presentation are excellent resources on the topic. In his presentation and in another post, Lee mentions that when someone clicks on a G+ link, the user is first sent to a Google URL that contains a server-side timestamp, then is redirected to the actual linked site. An investigator could examine the browser history to compare this server timestamp to the local computer time to attempt to find evidence of clock manipulation.

[su_button url=”http://www.obsidianforensics.com/blog/detecting-clock-changes-using-cookies” target=”blank” style=”flat” background=”#222348″ size=”5″ radius=”0″]Read Full Article[/su_button]