Authors: Céline Vanini, Christopher J. Hargreaves, Harm van Beek, Frank Breitinger

DFRWS USA 2024

Abstract

Timestamps and their correct interpretation play a crucial role in digital forensic investigations, particularly when the objective is to establish a timeline of events a.k.a. event reconstruction. However, the way these timestamps are generated heavily depends on an internal clock, or ‘system time’, from which many are derived. Consequently, when this system time is skewed due to tampering, natural clock drift, or system malfunctions, recorded timestamps will not reflect the actual times the (real-world) events occurred. This raises the question of how to validate the correctness of the system clock when recording timestamps and, if found incorrect, how to determine system clock skew. To address this problem, this paper defines several important concepts such as time anchors, anchoring events, non-anchoring events and time anomalies which can be used to determine if the system time was correct. Using two examples – a Google search and a file creation – and comparing correct and skewed versions of the same set of performed actions, we illustrate the use and potential benefits of time anchors to demonstrate the correctness of the system clock for event reconstruction.

Downloads