Authors: Florian Buchholz (James Madison University) and Brett Tjaden (James Madison University)
DFRWS USA 2007
Abstract
In this paper we describe the first large-scale, long-term study of how hosts connected to the Internet manage their clocks. This is important for forensic investigations when there is a need for correlation of events collected from disparate sources, as well as for the correlation of computer events to “real” time. We have sampled over 8000 web servers on the Internet on a regular basis for a period of over six months. We have found that only about 74% of the hosts we observed were within 10 s of our reference time (UTC). The other hosts exhibited a large variety of different clock behaviors, some of which are explainable by existing clock models, some not, warranting further research in the area of forensic time and clock analysis