Precision synchronization of computer network clocks
ACM SIGCOMM Computer Communication Review
A brief history of NTP time: memoirs of an Internet timekeeper
ACM SIGCOMM Computer Communication Review
Unification of relative time frames for digital forensics
Digital Investigation: The International Journal of Digital Forensics & Incident Response
Time and date issues in forensic computing-a case study
Digital Investigation: The International Journal of Digital Forensics & Incident Response
Timestamp evidence correlation by model based clock hypothesis testing
Proceedings of the 1st international conference on Forensic applications and techniques in telecommunications, information, and multimedia and workshop
Digital Investigation: The International Journal of Digital Forensics & Incident Response
| Hi-index | 0.00 |
Establishing the time at which a particular event happened is a fundamental concern when relating cause and effect in any forensic investigation. Reliance on computer generated timestamps for correlating events is complicated by uncertainty as to clock skew and drift, environmental factors such as location and local time zone offsets, as well as human factors such as clock tampering. Establishing that a particular computer's temporal behaviour was consistent during its operation remains a challenge. The contributions of this paper are both a description of assumptions commonly made regarding the behaviour of clocks in computers, and empirical results demonstrating that real world behaviour diverges from the idealised or assumed behaviour. We present an approach for inferring the temporal behaviour of a particular computer over a range of time by correlating commonly available local machine timestamps with another source of timestamps. We show that a general characterisation of the passage of time may be inferred from an analysis of commonly available browser records.