论文信息 - Update Thresholds of More Accurate Time Stamp for Event Reconstruction

Update Thresholds of More Accurate Time Stamp for Event Reconstruction

Many systems rely on reliable timestamps to determine the time of a particular action or event. This is especially true in digital investigations where investigators are attempting to determine when a suspect actually committed an action. The challenge, however, is that objects are not updated at the exact moment that an event occurs, but within some time-span after the actual event. In this work we define a simple model of digital systems with objects that have associated timestamps. The model is used to predict object update patterns for objects with associated timestamps, and make predictions about these update time-spans. Through empirical studies of digital systems, we show that timestamp update patterns are not instantaneous. We then provide a method for calculating the distribution of timestamp updates on a particular system to determine more accurate action instance times.

Joshua James | Yunsik Jake Jang

[1] Dan Farmer,et al. Forensic Discovery , 2004 .

[2] Byeongyeong Yoo. Analysis of File Time Change by File Manipulation of Linux System , 2016 .

[3] Eugene H. Spafford,et al. A hypothesis-based approach to digital forensic investigations , 2006 .

[4] Svein Yngvar Willassen. Timestamp evidence correlation by model based clock hypothesis testing , 2008, e-Forensics '08.

[5] Hong Min,et al. An Estimation Model of Missing Data for Smart Phone Sensing , 2013 .

[6] Ahmed Patel,et al. Finite state machine approach to digital event reconstruction , 2004, Digit. Investig..

[7] Joshua James,et al. Signature Based Detection of User Events for Post-mortem Forensic Analysis , 2010, ICDF2C.

[8] Man-Mo Kang,et al. Detection of Complex Event Patterns over Interval-based Events , 2012 .

[9] Malcolm W. Stevens,et al. Unification of relative time frames for digital forensics , 2004, Digit. Investig..

[10] Joshua James,et al. Automated inference of past action instances in digital investigations , 2014, International Journal of Information Security.

[11] Martin S. Olivier,et al. The Use of File Timestamps in Digital Forensics , 2008, ISSA.

[12] Svein Yngvar Willassen. Hypothesis-Based Investigation of Digital Timestamps , 2008, IFIP Int. Conf. Digital Forensics.