Two research articles have been accepted for publication at the Digital Forensics Research Conference US 2024 in Baton Rouge (Louisiana). Thank you to all my co authors. The publications are as follows:
- Beyond Timestamps: Integrating Implicit Timing Information into Digital Forensic Timelines with Lisa Marie Dreier, Céline Vanini, Chris Hargreaves, and Felix Freiling.
- Was the Clock Correct? Exploring Timestamp Interpretation Through Time Anchors for Digital Forensic Event Reconstruction with Céline Vanini, Chris Hargreaves, and Harm van Beek.
The articles are available open access. You an access them here: Paper 1 and Paper 2
Here are the Details about the Papers:
Beyond Timestamps
Abstract
Generating timelines, i.e., sorting events by their respective timestamps, is an essential technique commonly used in digital forensic investigations. But timestamps are not the only source of timing information. For example, sequence numbers embedded in databases or positional information, such as the line numbers in log files, often contain implicit information about the order of events without directly referencing a timestamp. We present a method that can integrate such timing information into digital forensic timelines by separating sources of timing information into distinct time domains, each with its own timeline, and then connecting these timelines based on relations observed within digital evidence. The classical ``flat'' timeline is thereby extended into a ``rich'' partial order, which we call hyper timeline. Our technique allows ordering of events without timestamps and opens a rich set of possibilities to identify and characterize timestamp inconsistencies, e.g., those that arise from timestamp tampering.
Was the Clock Correct
Abstract
Timestamps and their correct interpretation play a crucial role in digital forensic investigations, particularly when the objective is to establish a timeline of events a.k.a. event reconstruction. However, the way these timestamps are generated heavily depends on an internal clock, or `system time', from which many are derived. Consequently, when this system time is skewed due to tampering, natural clock drift, or system malfunctions, recorded timestamps will not reflect the actual times the (real-world) events occurred. This raises the question of how to validate the correctness of the system clock when recording timestamps and, if found incorrect, how to determine system clock skew. To address this problem, this paper defines several important concepts such as time anchors, anchoring events, non-anchoring events and time anomalies which can be used to determine if the system time was correct. Using two examples - a Google search and a file creation - and comparing correct and skewed versions of the same set of performed actions, we illustrate the use and potential benefits of time anchors to demonstrate the correctness of the system clock for event reconstruction.