Windows Time Service Synchronization

A subject modifies the system date, time, time zone, hardware clock, or time synchronization configuration of a device to obscure the chronology of activity relevant to an insider threat investigation. This behavior may affect timestamps associated with file creation, file modification, authentication events, process execution, log generation, scheduled activity, or other forensic artifacts used to reconstruct subject activity.

System time modification may be performed before, during, or after an infringement to create ambiguity in the investigative timeline, frustrate correlation between endpoint, identity, network, and application telemetry, or cause investigators to misinterpret the sequence of events. The behavior should be assessed in context with administrative privilege use, time synchronization changes, endpoint telemetry gaps, and inconsistencies between local artifacts and centralized logging sources.

A subject modifies the Windows system time, time zone, or time synchronization behavior to obscure timestamps associated with local artifacts, event logs, file activity, process execution, or other evidence relevant to an insider threat investigation.

On Windows systems, this behavior may involve manual date and time changes, abuse of the “Change the system time” user right, modification of Windows Time service behavior, or use of administrative tooling to alter clock settings.