Hardware Clock Time
Overview
Section titled “Overview”Evidence: Hardware Clock Time
Description: Display the current hardware clock time
Category: System
Platform: esxi
Short Name: hwclk
Is Parsed: Yes
Sent to Investigation Hub: Yes
Collect File(s): No
Background
Section titled “Background”Hardware clock (RTC) maintains system time independently of the operating system. Time accuracy is critical for forensic timeline analysis, log correlation, and detecting time-based anti-forensics techniques like timestomping or clock manipulation to hide malicious activities.
Data Collected
Section titled “Data Collected”This collector gathers structured data about hardware clock time.
Hardware Clock Time Data
Section titled “Hardware Clock Time Data”| Field | Description | Example |
|---|---|---|
AccessTime | Access Time | 2023-10-15 14:30:25+03:00 |
AccessCount | Access Count | 123 |
URL | URL | Example value |
Browser | Browser | Example value |
Title | Title | Example value |
VisitDuration | Visit Duration | Example value |
Referrer | Referrer | Example value |
TypedCount | Typed Count | 123 |
IsHidden | Is Hidden | true |
TransitionType | Transition Type | Example value |
VisitID | Visit ID | 123 |
TransitionQualifiers | Transition Qualifiers | Example value |
User | User | Example value |
Profile | Profile | Example value |
HistoryFilePath | History File Path | Example value |
Collection Method
Section titled “Collection Method”This collector captures the current hardware clock time from the system’s Real-Time Clock (RTC), recording the timestamp at collection to establish a time reference point for the investigation.
Forensic Value
Section titled “Forensic Value”Hardware clock comparison with system time reveals time synchronization issues, detects deliberate clock manipulation used to evade detection or hide activity timing, and provides an independent time source for validating event timelines when system time may have been tampered with.