# Hardware Clock Time ## Overview **Evidence:** Hardware Clock Time\ **Description:** Display the current hardware clock time\ **Category:** System\ **Platform:** esxi\ **Short Name:** hwclk\ **Is Parsed:** Yes\ **Sent to Investigation Hub:** Yes\ **Collect File(s):** No ## Background Hardware clock (RTC) maintains system time independently of the operating system. Time accuracy is critical for forensic timeline analysis, log correlation, and detecting time-based anti-forensics techniques like timestomping or clock manipulation to hide malicious activities. ## Data Collected This collector gathers structured data about hardware clock time. ### Hardware Clock Time Data | Field | Description | Example | | ---------------------- | --------------------- | ------------------------- | | `AccessTime` | Access Time | 2023-10-15 14:30:25+03:00 | | `AccessCount` | Access Count | 123 | | `URL` | URL | Example value | | `Browser` | Browser | Example value | | `Title` | Title | Example value | | `VisitDuration` | Visit Duration | Example value | | `Referrer` | Referrer | Example value | | `TypedCount` | Typed Count | 123 | | `IsHidden` | Is Hidden | true | | `TransitionType` | Transition Type | Example value | | `VisitID` | Visit ID | 123 | | `TransitionQualifiers` | Transition Qualifiers | Example value | | `User` | User | Example value | | `Profile` | Profile | Example value | | `HistoryFilePath` | History File Path | Example value | ## Collection Method This collector captures the current hardware clock time from the system's Real-Time Clock (RTC), recording the timestamp at collection to establish a time reference point for the investigation. ## Forensic Value Hardware clock comparison with system time reveals time synchronization issues, detects deliberate clock manipulation used to evade detection or hide activity timing, and provides an independent time source for validating event timelines when system time may have been tampered with.