Time Change Captured in Event Log - Event 577 and 520

Return to Main Forensics Help Page

Often times questions arise as to how to determine whether or not the time was changed on a system.  With regard to NT systems in which event logs are a feature, there are a couple of indicators.

If, and that's a big if, Privilege Use logging is enabled, event 577 indicates a system time change.  By default Windows event logging is anemic at best and Privilege Use logging is not enabled by default.   The screen shots below show what happens.  If you have auditing enabled for system events, you'll get an entry for event 520.

Hint:  If these images aren't clear in your browser, click on the picture and it will launch in its own window for more clarity!  If that isn't good enough, right click on an image, save it locally, and then look at it, zoom into it, etc.  

 

The screen at the left shows privilege use logging enabled.  Don't expect to see this in a default configuration.
The screen at the left shows the resultant event log entries (577 and 520 in pairs) when manually changing the system time.
The screen at the left shows the resultant event log entries (577and 520 when the Atomic Time Clock restores the time to the correct setting after it was manually changed.  Either manual change of the system time or automated tools result in a 577 and 520 entries, assuming again that Privilege Use logging and / or system event logging are / is enabled.
   
Event ID 520 in Windows event viewer shows, under the description, that the system time was changed and by which user.  (Logparser can also be used instead of Event Viewer)
   
To demonstrate how a time change is recorded in XP, I changed the date/time from 2006 to 2005.  Immediately, you can see the sequential records in the Security Event Log jump from 2006 to 2005, which is your first big clue.  The first entry in "2005" is Event ID 520, which records the time change in the Security Event Log.  If you double click on that entry, you can see the properties of that entry.  The detailed description is longer than can be shown in one screen shot, so I copied the contents and placed it in a notepad view immediately to the left of the Event Properties window.  You can clearly see the description stating that "The system time was changed" and further it lists the "Previous Time" and the "New Time".  (Double click on the image to the left to see the details in a "full screen" view.) 
   
Event ID 577 in Windows event viewer shows, under the description, that the SeSystemtimePrivilege was accessed and by which user.
Another indicator of time change can be found.  Locate the app date / time of interest in any of your logs.  In this case we are looking at the system log.  The time is changed by an hour at 7:25 on 6/8/2005.  The event logs are maintained sequentially and suddenly the time drops back an hour.  The moment you "sort by date or time", you lose this sequential capture.  Take a screen shot of it if you see it on a live box.

This web site was created to provide assistance to computer forensics examiners engaging in cyber-crime investigations.  This field is rapidly evolving and changing as technology marches forward.  It is, therefore, intended to be a growing and evolving resource.  As you conduct your examinations and investigations, if you encounter information, links, or have suggestions that would help others, please let me know so I can add it to this site.  My email address is sbunting@udel.edu .  Thank you.

This site created and maintained by: 
 
Steve Bunting
 
Email: sbunting@udel.edu