Authors: Céline Vanini, Frank Breitinger and Christopher Hargreaves
DFRWS EU 2023
Abstract
Event reconstruction is critical in digital forensics for inferring activities from observed digital traces. A significant body of research has explored timeline analysis, highlighting key challenges: extracting timestamps from diverse file systems, handling large event volumes, and addressing issues like clock skew, time zones, and adversarial timestamp manipulation. While extensive research and tool development have advanced timestamp extraction and interpretation, less focus has been given to assessing the quality and reliability of timestamps themselves. These challenges not only complicate the direct extraction and interpretation of timestamps but also influence the broader process of event reconstruction. Uncertainties in timestamp reliability can propagate through an analysis, affecting how sequences of actions are inferred. This presentation explores how such challenges emerge at different stages of forensic analysis and examines their potential impact on reconstructing event timelines. To illustrate these complexities, this presentation introduces a diagram for event reconstruction, inspired from seminal work in forensic science, that maps where these issues can arise during the process.