Understanding Timestamps in Digital Forensics
by Michael Dean Thompson
Modern computing systems constantly record when a specific event occurs. A common example of this is the timestamp applied to a document file that indicates when the file was last updated. But the timestamps can be more pernicious. Within the files can be more timestamps that give even more information. Consider an image file that stores an internal marker of the date and time the image was created, which may differ from the creation date stored in the file system. That difference offers a big clue that the file was copied from another source. Additional log files may be present that track unique events, as in the case of vehicle telemetry that keeps the times and locations of brake usage, door openings and closings, and more.
Timestamps can come in many different formats, though some standards do exist. The format chosen depends on the operating system as much as the granularity necessary to record the event. Often, developers will choose to uniquely identify an event based on the timestamp, which may require millisecond (1/1,000 of a second) to nanosecond (1/1,000,000,000 of a second) resolution. This happens most often in databases and may be present in email systems and instant messaging platforms. Chrome may store any browser-related data with microsecond (1/1,000,000,00 of a second) resolution. Such high definition for a software that is unlikely to make its own microsecond comparisons against a timestamp may be doing so largely for forensic purposes as accessing a given web resource at a specific time can single out one device over another when compared to the web resources’ own logs.
Timestamps also have unique calculation requirements. Log files are often in human-readable formats like “11/17/2024 8:10:15.1234.” Others are complex binary strings. The WebKit/Chrome timestamps track the number of microseconds that have passed since January 1, 1601. A significant number of operating systems use Unix timestamps. Unix is an OS developed in the 70s, and the timestamp accordingly tracks seconds since January 1, 1970. The MacOS and iOS operating systems use Cocoa timestamps (“Mac absolute time”) to track the number of seconds since January 1, 2001. Nevertheless, nonstandard timestamps are generally not difficult to decode, since they tend to require some sortability and the stamp can often be compared against the software’s output.
Many common timestamp formats track time using Coordinated Universal Time (“UTC”). So, a timestamp stating 6:00 p.m. in the binary format would be adjusted for the local time zone for the user in the Central time zone to 12:00 p.m. Yet, again, this is not always the case. Using UTC as a standard helps to alleviate time zone challenges for tracking events across time boundaries, especially when the user need not make explicit adjustments to how a device reports the time, e.g., the phone company automatically adjusts the device’s time and time zone.
Just shy of possessing forensic software, it can be next to impossible to know where all the timestamps are being stored. For example, Windows allows for data to be stored in secondary data streams that the end user will likely never see. The timestamps may provide developers clues that events occurred out of order and aid in debugging the code. Or they may be recorded solely for investigative purposes such as within a digital photo that identifies the time the photo was taken as well as the identity of the device that took it. But whatever the reason for the timestamp’s existence, it can be used by investigators to build a timeline of events in support of the theory of a case.
Source: Forensicmag.com
As a digital subscriber to Criminal Legal News, you can access full text and downloads for this and other premium content.
Already a subscriber? Login
