Wednesday, August 15, 2012
Anyway, since I am sitting in my hotel in Kansas City unable to get some sleep before I catch a ridiculously early flight to Chicago in the morning, I was thinking about time in forensics and it occurred to me, which sometimes I can be Captain Obvious, that forensics is all about time; specifically about the past time. Forensics is a backward looking discipline, and unless you are in a science fiction novel or movie, it is never predictive from a time standpoint.
How many times, (see what I mean?), have you heard some TV detective ask the coroner or forensic pathologist about the "time of death"? He or she never answers with, "Tomorrow about 5 PM."
In the world of digital forensics, time is a factor in just about every case. It is inescapable, since when something occurred is critical to knowing if it is relative or not.
Did that phone call happen before or after the car accident? What about the text message? Were the computer files downloaded on a particular date? Did the user modify the times to cover up their tracks when editing that contract?
Those and dozens of other questions about time are posed in almost every case I know of. But, how reliable are those times?
You see, we tend to think in general that the time on the computer is correct, or the time on the cell phone is right on. But can those times be relied upon to "prove" that such and such occurred when we think it did?
The answer is yes and no. In fact, getting the times right is one of the most critical and difficult parts of any digital forensics case.
Modified, Accessed and Created dates and times in computer forensics are highly relied upon in many examinations. And they are one of the most common to get wrong. But, how can it be that an examiner would get the times wrong?
Point 1: One of the fundamental aspects of examining digital evidence is to check the time on the device from which the evidence is collected. Yet, I am reading forensic reports every day that do not have the time of the device in the report. If you don't get the time from the device, how do you have any idea that the time on the hard drive, cell phone, GPS device, or video unit are correct? Well, to put it simply, you don't.
Now you may be thinking, "Wait just a darn minute here. Cell phones always have the correct time because they get their time from the cellular system." And my reply would be, "Not so my forensic friend. You can set your phone to stop syncing with the network for its time and set it to what ever you please. You could take some pictures, send some texts, make some calls and the phone would stamp them with the date and time it thinks it is." And of course I have to qualify that statement with, "It depends on the phone of course." But off hand, try it with your iPhone and you will see what I mean.
Point 2: Are you in the zone? It can be a little embarrassing for a forensic examiner to make a big deal out of the time stamps occurring before or after the incident happened, only to find out on the witness stand he forgot to adjust his forensic software for the time zone of the device. Oops.
Or to not realize that some parts of the country have no respect for that pesky daylight savings time and therefore don't change with the rest of us "normal" people.
Or to not notice that the time stamps for a piece of evidence are in GMT or UMT depending on your preference and don't calculate the offset for that GPS record.
What about call detail records? Is the time of the phone call based on the time at the local switch, or it is based on the time at the data center for the phone's carrier?
Point 3: Are you sure? One of the simplest mistakes to make as a forensic examiner is to assume that you are correct without checking your facts. What's the expression? Check yourself before you wreck yourself? We should all print that out in big letters and staple it up over our forensic work areas.
MAC times on computers are not always what they seem. In fact, they are rarely what they seem to the point that you should be suspicious if any date and time stamp unless you know for sure why and how it was recorded. The thing is, MAC times on computers are recorded based on the function or activity that is occurring that causes the time stamp to change.
And since different operating systems also treat time stamping differently, it can be even more confusing. For instance, Windows NT and Windows XP have different delays before they will create a new time stamp. Windows Vista and forward don't even bother to update the last accessed date any more, so that time stamp becomes moot from a forensic standpoint.
And, to make it even more fun, different operating systems use different date formats, such as Epoch time, absolute time and so forth.
Does the MAC OS record time stamps like Windows? Of course not. Nor does Linux or Unix.
Does an activity on a MAC cause time stamps to be recorded the same as the corresponding activity on a Windows computer. Nope.
How about that thumb drive you have there. Is it formatted FAT32? Then it will handle time stamps differently from your Windows computer that is formatted NTFS.
Time is embedded all over the place. It's in the file systems of computers and media storage devices, embedded inside pictures and documents and PDF files. How about that facsimile machine's transaction log? Its in the header of emails.
So when you are doing an examination, what kinds of things should you always be asking yourself about a date and time stamp?
Do I know what the time was on the device that stamped the time on the evidence?
Do I know what time zone applies?
Did I set the offset in my forensic software correctly?
Do I know what caused the stamp to be created and or changed and why?
Did I get the offset or conversion right from UMT, EPOCH or Absolute time right?
You could write a whole book just on computer time stamps. I'm not, but you could if you wanted to.
Just remember as you are writing that forensic report: Check yourself before you wreck yourself.