A correlation method for establishing provenance of timestamps in digital evidence

Schatz, Bradley, Mohay, George M., & Clark, Andrew J. (2006) A correlation method for establishing provenance of timestamps in digital evidence. Digital Investigation, 3(Supplement 1), S98-S107.

View at publisher


Establishing the time at which a particular event happened is a fundamental concern when relating cause and effect in any forensic investigation. Reliance on computer generated timestamps for correlating events is complicated by uncertainty as to clock skew and drift, environmental factors such as location and local time zone offsets, as well as human factors such as clock tampering. Establishing that a particular computer's temporal behaviour was consistent during its operation remains a challenge. The contributions of this paper are both a description of assumptions commonly made regarding the behaviour of clocks in computers, and empirical results demonstrating that real world behaviour diverges from the idealised or assumed behaviour. We present an approach for inferring the temporal behaviour of a particular computer over a range of time by correlating commonly available local machine timestamps with another source of timestamps. We show that a general characterisation of the passage of time may be inferred from an analysis of commonly available browser records.

Impact and interest:

18 citations in Scopus
3 citations in Web of Science®
Search Google Scholar™

Citation counts are sourced monthly from Scopus and Web of Science® citation databases.

These databases contain citations from different subsets of available publications and different time periods and thus the citation count from each is usually different. Some works are not in either database and no count is displayed. Scopus includes citations from articles published in 1996 onwards, and Web of Science® generally from 1980 onwards.

Citations counts from the Google Scholar™ indexing service can be viewed at the linked Google Scholar™ search.

Full-text downloads:

403 since deposited on 20 May 2009
10 in the past twelve months

Full-text downloads displays the total number of times this work’s files (e.g., a PDF) have been downloaded from QUT ePrints as well as the number of downloads in the previous 365 days. The count includes downloads for all files if a work has more than one.

ID Code: 20576
Item Type: Journal Article
Refereed: Yes
Keywords: digital forensics, digital evidence, event correlation, timestamp interpretation
DOI: 10.1016/j.diin.2006.06.009
ISSN: 1742-2876
Subjects: Australian and New Zealand Standard Research Classification > INFORMATION AND COMPUTING SCIENCES (080000) > COMPUTER SOFTWARE (080300) > Computer System Security (080303)
Divisions: Past > QUT Faculties & Divisions > Faculty of Science and Technology
Past > Institutes > Information Security Institute
Copyright Owner: Copyright 2006 Elsevier
Deposited On: 20 May 2009 23:59
Last Modified: 22 Jun 2017 14:41

Export: EndNote | Dublin Core | BibTeX

Repository Staff Only: item control page