Time and Computer Forensics

1
Time and Computer Forensics

• 8 August 2002
• Mike Duren, Olivier de Vel, Jason Burke, John
  Faust, Shiu-Kai Chin

2
Issues

• What role does time play in the forensic process?
• What do investigators do?
• Do they examine system clocks? Do they look for
  HW/SW that does synchronization?
• How important is establishing a timeline in a
  investigation?
• Can investigations be undermined by imprecise
  timelines?
• What degree of precision is required to support
  investigations?
• NASDQ requires precision within 3 seconds
• How important is trusted time in an
  investigation?
• How do you fuse events together in the presence
  of inaccurate time?

3
Technical Issues

• Time is maintained differently in different OS
  and versions
• Clocks drift and are easily corrupted
• Need to correlate events based on some ground
  truth (e.g., time)
• Need to establish a time-ordering of events
• Need to establish an absolute time for at least
  one event (e.g., phone call from modem)
• Accurate time is needed to establish provenance
  of information

4
Whats Needed

• Develop tools to establish credible timelines for
  digital evidence
• Encourage system developers and tool developers
  to build systems in ways that support integrity
  of timelines
• Implication may need to have pervasive support
  for integrity of time (and other attributes)
  built into fundamental system components such as
  operating systems, system clocks, business
  software, etc.
• What is the economic justification for this extra
  effort?
• Is there a market need?

5
Predictions

• Corporations will use trusted time servers in
  greater numbers
• Government and military programs (e.g., NMCI)
  will require time stamping
• ISPs will provide time stamping
• Enron WorldCom (and ensuing legislation) point
  to the need for data integrity and standards