TRUETIME is designed to help law enforcement accurately record the time set on a personal computer which has been seized or is about to be analysed.
TRUETIME will echo to the screen the date, time and time zone as entered by the operator which can be used as a record of the correct time at which the computer is being handled.
TRUETIME will also echo to the screen the current internal CMOS time setting of the computer, which can be recorded and compared with the true time for future forensic purposes.
It is suggested that TRUETIME be run from within a batch file in order to fasciliate more automated operation.
When TRUETIME is run it asks the user to input the correct current date in MM-DD-YYYY format. It then asks the user to input the current time in HH:MM format. (seconds are not recorded because most people donít get that fine with their watches.)
These two values are then echoed to the screen (as shown below), and by using command line redirection these values can be redirected to a suitable output file for future reference.
Current proper correct date is: 09-30-1998
Current proper correct time is: 14:30
TRUETIME then captures the current system time from the computers internal clock and shows it on the screen. Again with proper command line redirection, this time is placed in the output file for later comparison of differences between computer time, and actual time.
Current local computer time is Wed Sep 30 11:09:24 1998
TRUETIME then shows a list of world time zones on the screen and allows the user to pick the time zone which the computer is set to, or which you are currently operating under. This information is also echoed to the screen as shown along with the standard offset from Greenwich UTC. (be careful to remember to compensate for Daylight Savings time, as the program makes no adjustments).
Local Time Zone is: Eastern Standard, -5 hours.
If the output of the program is redirected to a file, the combined output of the question and answer routine is shown below:
Current proper correct date is: 09-30-1998 Current proper correct time is: 13:54 Current local computer time is Wed Sep 30 11:14:39 1998 Local Time Zone is: Eastern Standard, EST5EDT, -5 hours
By having this information recorded and available, the investigator can later determine the exact number of hours the computer clock may be in error. (In the example above, the clock is seen to be 2 hours 40 minutes off). This time difference may be significant in some cases.
This output file also serves as an audit trail as to the time the analysis was actually run.
TRUETIME also exits with a DOS errorlevel equal to the number of hours from GMT. This can be used to additionally set an environment variable to the correct time zone. (NOTE: for exit values above 12, you need to subtract the exit value from 12, thus giving a negative number.) See the section of the batch file here:
@echo off trutime >> outputfilename if errorlevel 25 goto not_set if errorlevel 24 goto minus_twelve if errorlevel 23 goto minus_eleven if errorlevel 22 goto minus_ten if errorlevel 21 goto minus_nine if errorlevel 20 goto minus_eight if errorlevel 19 goto minus_seven if errorlevel 18 goto minus_six if errorlevel 17 goto minus_five if errorlevel 16 goto minus_four if errorlevel 15 goto minus_three if errorlevel 14 goto minus_two if errorlevel 13 goto minus_one if errorlevel 12 goto twelve if errorlevel 11 goto eleven if errorlevel 10 goto ten if errorlevel 9 goto nine if errorlevel 8 goto eight if errorlevel 7 goto seven if errorlevel 6 goto six if errorlevel 5 goto five if errorlevel 4 goto four if errorlevel 3 goto three if errorlevel 2 goto two if errorlevel 1 goto one if errorlevel 0 goto zero
Because of the way batch files must be set up, the higher numbers should be checked first. You can use your imagination of what should go into the goto tags.
There are no options available for this program.
C:>truetime /* echo everthing to the screen */
C:>truetime >> output.fle /* send output to the file */
Some uses of the program.
For forensic purposes, record the correct current date and time and the internal clock time of the computer.
Do this for future reference as to when the procedure was run, and the computer was analyzed.