Timestamps play an important role in digital investigations, since they are necessary for the correlation of evidence from different sources. Use of timestamps as evidence can be questionable due to the reference to a clock with unknown adjustment. This work addresses this problem by taking a hypothesis based approach to timestamp investigation. Historical clock settings can be formulated as a clock hypothesis. This hypothesis can be tested for consistency with timestamp evidence by constructing a model of actions affecting timestamps in the investigated system. Acceptance of a clock hypothesis with timestamp evidence can justify the hypothesis, and thereby establish when events occurred in civil time. The results can be used to correlate timestamp evidence from different sources, including identifying correct originators during network trace. [Article copies are available for purchase from InfoSci-on-Demand.com]
[1]
Gian Piero Zarri,et al.
A Conceptual Methodology for Dealing with Terrorism "Narratives"
,
2010,
Int. J. Digit. Crime Forensics.
[2]
Svein Yngvar Willassen.
Hypothesis-Based Investigation of Digital Timestamps
,
2008,
IFIP Int. Conf. Digital Forensics.
[3]
Peter A. Rogerson.
Geographic Surveillance of Crime Frequencies in Small Areas
,
2005
.
[4]
Florian P. Buchholz,et al.
A brief study of time
,
2007
.
[5]
Arvind Verma,et al.
Visualization of Criminal Activity in an Urban Population
,
2008
.
[6]
George M. Mohay,et al.
A correlation method for establishing provenance of timestamps in digital evidence
,
2006,
Digit. Investig..
[7]
Lin Liu.
Artificial Crime Analysis Systems: Using Computer Simulations and Geographic Information Systems
,
2008
.