Timezone

Location and Format

There are two locations we will want to check to confirm the timezone of the system that we are analyzing. One of these locations is a registry key and the other are the System Event Logs.

- SYSTEM\CurrentControlSet\Control\TimeZoneInformation
- %SYSTEM ROOT%\System32\winevt\logs\System.evtx

Purpose

The registry will identify the Timezone of the system on its own, but it is worth noting that the System event logs (Event ID 4616 and 6013) can help track historical changes.

Forensic Uses

Timezone is a critical bit of information to note down. Without it there are some Windows artifacts that are unable to be interpreted without knowing the system Timezone

Analysis Tools

https://www.sans.org/tools/registry-explorer/
https://eventlogxp.com/

Example Analysis

pending

results matching ""

No results matching ""