Elsevier

Digital Investigation

Volume 3, Supplement, September 2006, Pages 98-107
Digital Investigation

A correlation method for establishing provenance of timestamps in digital evidence

https://doi.org/10.1016/j.diin.2006.06.009Get rights and content
Under a Creative Commons license
open access

Abstract

Establishing the time at which a particular event happened is a fundamental concern when relating cause and effect in any forensic investigation. Reliance on computer generated timestamps for correlating events is complicated by uncertainty as to clock skew and drift, environmental factors such as location and local time zone offsets, as well as human factors such as clock tampering. Establishing that a particular computer's temporal behaviour was consistent during its operation remains a challenge. The contributions of this paper are both a description of assumptions commonly made regarding the behaviour of clocks in computers, and empirical results demonstrating that real world behaviour diverges from the idealised or assumed behaviour. We present an approach for inferring the temporal behaviour of a particular computer over a range of time by correlating commonly available local machine timestamps with another source of timestamps. We show that a general characterisation of the passage of time may be inferred from an analysis of commonly available browser records.

Keywords

Digital forensics
Digital evidence
Event correlation
Reverse engineering
Timestamp interpretation

Cited by (0)

Bradley Schatz is a doctoral candidate at the Information Security Institute at the Queensland University of Technology, Brisbane, Australia. His research focus is digital forensics, knowledge representation, and event correlation. Prior to his entry to research, Bradley practiced software engineering, IT security and systems management in industries such as banking, entertainment and health.

George Mohay is an Adjunct Professor in the Information Security Institute at the Queensland University of Technology, Brisbane, Australia. Prior to that he had been Head of the School of CS and SE from 1992 to 2002. His current research interests lie in the areas of computer security, intrusion detection, and computer forensics. He is on the Program Committee for RAID, Recent Advances in Intrusion Detection, and is on the program/steering committees of a number of other international conferences. He is General Chair for RAID 2007 to be held on the Gold Coast, Australia.

Andrew Clark is a Senior Research Fellow in the Information Security Institute at Queensland University of Technology. He obtained his PhD in 1998 in the area of cryptography and is currently researching actively in the fields of intrusion detection and computer forensics. He supervises numerous postgraduate research students in these areas and is also an active participant in industrial projects with government and corporate partners.