Research Article
Timestamp evidence correlation by model based clock hypothesis testing
@INPROCEEDINGS{10.4108/e-forensics.2008.2637, author={Svein Yngvar Willassen}, title={Timestamp evidence correlation by model based clock hypothesis testing}, proceedings={1st International ICST Conference on Forensic Applications and Techniques in Telecommunications, Information and Multimedia}, publisher={ACM}, proceedings_a={E-FORENSICS}, year={2010}, month={5}, keywords={Digital investigation event logic clock hypothesis}, doi={10.4108/e-forensics.2008.2637} }
- Svein Yngvar Willassen
Year: 2010
Timestamp evidence correlation by model based clock hypothesis testing
E-FORENSICS
ACM
DOI: 10.4108/e-forensics.2008.2637
Abstract
Timestamps play an important role in digital investigations, since they are necessary for the correlation of evidence from different sources, including network tracing. Use of timestamps as evidence can be questionable due to the reference to a clock with unknown adjustment. This work addresses this problem by taking a hypothesis based approach to timestamp investigation. Historical clock values can be formulated as a clock hypothesis. This hypothesis can be tested for consistency with timestamp evidence by constructing a model of actions affecting timestamps in the investigated system. Acceptance of a clock hypothesis with timestamp evidence can justify the hypothesis, and thereby establish when events occurred in civil time. The results can be used to correlate timestamp evidence from different sources, including identifying correct originators during network trace.