Home |  Log In  
Forensics and eDiscovery technologies for Mac OS X, Microsoft Windows, and Linux

Finding the system time and date on a Mac

Acquiring the computer time from a Mac is a common task for many investigators. Having the computer time allows and investigator to correlate computer events to actual time frames and may help secure a conviction.

Macs sold after March of 2001 will most likely have Mac OS X loaded on them and all Intel Macs run Mac OS X only. PowerPC Macs run Open Firmware from Sun. Intel Macs use EFI (Extensible Firmware Interface).

Determining if a firmware password is set

Before you can boot info Single User Mode, you must first determine if the user has set an firmware password on the system. An firmware password would prevent the investigator from booting into Single User Mode to determine the system's time and date. The firmware password can be reset but doing do also resets the system time also. To determine if there is an firmware password set, do the following:

  • Power on the Mac while holding down the Option key.
    • If you are presented with a screen showing the bootable partitions on the system then there is no firmware password set.
    • If you are presented with a password screen then there is an firmware password and you will not be able to boot into Single User Mode.
  • Once you have determined if there is an firmware password, power the Mac down by holding power button until the system powers off.

Finding the system date and time via Single User Mode

  1. Press the Power button and immediately hold down the Command (Apple) and S key. Doing so will make the Mac boot up in Single User Mode.
  2. Once booted into Single User Mode, you will see text across the top of the screen along with a command prompt. Type date and press the Enter key. The Mac will return the computer's current date and time along with the user configured time zone.
  3. You can then power down the computer safely.

 

Another option for finding the Mac's system time is to boot from the Mac OS X install CD/DVD. Once booted from the CD/DVD, select Terminal from the Utilities menu. In the Terminal type date and then press Enter. The system time and date will be shown. You may also boot from a Linux Live CD and get the system time using the terminal within Linux.


Product 13/34

Finding the Original Registrant of Mac OS XPrevious
Return to the Product List
NextFirefox Artifacts
 | Home | 

Copyright © 2006 - 2010 MacForensicsLab Inc.
Phone +1 (510) 870-7883 - Fax +1 (510) 868 3407
Mac and the Mac logo are trademarks of Apple Computer, Inc., registered in the U.S. and other countries.

Forensics Technologies - designed to perform investigations, for law enforcement and eDiscovery professionals.

MacForensicsLab - The only effective cross-platform weapon in the war on Cyber Crime and Digital Terrorism,
with unique tools designed to combat identity theft and child pornography.

Your IP Address is: 184.72.91.94