Transcript Time and Computer Forensics - Digital Forensics Research

Time and Computer Forensics
8 August 2002
Mike Duren, Olivier de Vel, Jason
Burke, John Faust, Shiu-Kai Chin
7/21/2015 10:09:38 AM
1
Issues
• What role does time play in the forensic process?
– What do investigators do?
• Do they examine system clocks? Do they look for HW/SW
that does synchronization?
– How important is establishing a timeline in a
investigation?
• Can investigations be undermined by imprecise timelines?
– What degree of precision is required to support
investigations?
• NASDQ requires precision within 3 seconds
– How important is trusted time in an investigation?
• How do you fuse events together in the presence
of inaccurate time?
7/21/2015 10:09:38 AM
2
Technical Issues
• Time is maintained differently in different OS and
versions
• Clocks drift and are easily corrupted
• Need to correlate events based on some ground
truth (e.g., time)
– Need to establish a time-ordering of events
– Need to establish an “absolute” time for at least one
event (e.g., phone call from modem)
• Accurate time is needed to establish provenance of
information
7/21/2015 10:09:38 AM
3
What’s Needed
• Develop tools to establish credible timelines for
digital evidence
• Encourage system developers and tool developers
to build systems in ways that support integrity of
timelines
– Implication: may need to have pervasive support for
integrity of time (and other attributes) built into
fundamental system components such as operating
systems, system clocks, business software, etc.
• What is the economic justification for this extra
effort?
– Is there a market need?
7/21/2015 10:09:38 AM
4
Predictions
• Corporations will use trusted time servers in
greater numbers
• Government and military programs (e.g.,
NMCI) will require time stamping
• ISPs will provide time stamping
• Enron & WorldCom (and ensuing
legislation) point to the need for data
integrity and standards
7/21/2015 10:09:38 AM
5