Question

Discuss why time stamps play an important part of digital forensics.

List three different time stamp examples and how they are measured.

(For example: Unix Epoch - the number of seconds that elapsed from..)

Answer 1

Digital evidence is not well perceived by the human senses. Crucial piecesof digital evidence may simply be missed by investigators as the forensics of seemingly unimportant pieces of collected data may not befully understood. This paper will discuss how abstract pieces of information may be extracted from seemingly insignificant evidence sources such afile timestamps by making use of correlating evidence sources. The use offile timestamps as a substitute for missing or corrupt log files as well as theinformation deficiency problem surrounding the use of timestamps will bediscussed in detail. A prototype was developed to help investigators to determine the course of event as they occurred according to file timestamps.The prototype results that were obtained as well as prototype flaws will alsobe addressed.Digital evidence is not well perceived by the human senses . Crucial piecesof digital evidence may simply be missed due to the fact that examiners donot fully comprehend how seemingly useless pieces of data can be convertedto evidence of high value. This situation may be very problematic for digital investigators as it may help to create an incomplete picture of digitalcrimes under inspection . It is therefore extremely important to examineall evidence, no matter how insignificant it may seem.If an investigation team can understand an intruder’s modus operand,it may be possible to determine various attributes describing the intruder,such as skill level, knowledge and location . Security mechanisms suchas log files will usually be used to determine the actions of the intruder.Unfortunately it is possible that active security systems on the compromisedsystem may be configured incorrectly or disabled completely . In suchcircumstances investigators will have to turn to alternative sources of digitalevidence.File timestamps may serve as a worthy alternative, as timestamp information may be viewed as a simplistic log of events as they occurred. Althoughfile timestamp information may be considered one-dimensional in a sensethat it only records the time of the very last action that was performed ona file, it may still be a valuable source of evidence when very few alternatives remain. Unfortunately the processing of file timestamp informationmay be complicated by the sheer volume of available timestamps that shouldbe processed.The overabundance of digital evidence that need to be processed in smallamounts of time could be described as an audit reduction problem . Theaudit reduction problem describes the situation in which the presence of toomuch information obscures the focus point ofinvestigations.Auditreductionwould therefore be prevalent in digital evidence analysis due to the massesof files that needs to be inspected, spurred on by massive storage capacitiesof modern storage devices.File timestamps analysis is an excellent example of the audit reductionproblem: modern hard drives storage capacity may be anywhere in betweenthe gigabyte to terabyte ranges; a very large number of files may be found onthese devices — each file having different timestamp information associatedwith it. Although most of the file timestamps would be irrelevant to a case,a few may still be the key to its successful resolution. If these timestampsare simply overlooked, an incorrect conclusion could potentially be reachedwhich may have dire consequences in store for the accused as well as theinvestigation team.This paper will discuss the use of timestamps as a supplement or alterna-tive to log files when log files are not available. The information deficiencyproblem, which describes the situation in which not enough information isavailable to allow investigators to get a clear picture of forensic significantevents, will be discussed. This is done to inform the user of possible problemsthat may be experienced with alternative evidence sources. The concept ofsynergy applied to digital data is proposed as a solution to the informationdeficiency problem. The principle should allow investigators to use variousinsignificant evidence sources to generate abstract forms of information thatare considered to be of forensic value. on file timestamps related to incident phases.

Ex-

1)Unix Epoch is the system for describing time in Unix and Unix like systems. It starts on 00:00:00 January 1st; 1970.

Unix time is the number of seconds that have elapsed since the start of the Unix Epoch. This Unix Epoch time is an ever-incrementing counter which goes up every second and shows the number of seconds elapsed since 00:00:00 UTC on January 1, 1970.

2) Win32 FILETIME values count 100-nanosecond intervals since January 1, 1600 UTC. It is a 64-bit number.

November 26, 2002 at 7:25p

3)CLR System.DateTime values count 100-nanosecond intervals since January 1, 1 UTC. It is a 64-bit number. These aren’t used much yet.

November 26, 2002 at 7:25p.