It is all about time
Jun 16th, 2007 by Jesper Kråkhede
I have made several Computer Forensics at companies and I often wonder why timesync in the domain seldom works or is not implemented alltogether. Apart from technical issues with Kerberos and such there is also a big problem when doing investigations if the clock on the client do not match the clock on the servers. I once was called to a case to make a review of an investigation that gone done the drain. It turned out that the client was five minutes and 22 seconds off the servers so every log that was matched to the clients behavior was off. This ment in the end that a guy could get of the hook for fraudulent behavior and a gal was catched instead.
So make sure that the clock is set correctly on all servers AND clients.