Methods for Enhancement of Timestamp Evidence in Digital Investigations

Abstract

This work explores how the evidential value of digital timestamps can be enhanced by taking a hypothesis based approach to the investigation of digital timestamps. It defines the concepts of clock hypotheses, timestamps and causality in digital systems. These concepts are utilized to develop methods that can be used in an investigation to test a clock hypothesis for consistency with timestamps found in an actual investigation, given causality between specific events occurring in the investigated system. Common storage systems are explored for the identification of causality between the events of information storage. By using a logic programming variant of predicate calculus, a formalism for modelling the relationship between events and timestamp updating is defined. This formalism can be used to determine invariants in digital systems.

Invariants and causality relations can be used to check a clock hypothesis for consistency with timestamp evidence. These methods can be utilized in software for digital investigation. By checking the large number of timestamps typically occurring on a digital medium, the methods can assist with the justification of a clock hypothesis, and thereby increase the confidence in specific timestamps found during the investigation. Previously, the checking of timestamps has relied upon the existence of timestamps from other evidence sources. With the methods defined in this work, justification of timestamp interpretation can be achieved without having to rely on timestamps from other sources of evidence.

The methods developed in this work were implemented in a clock hypothesis consistency checker. This checker was tested in an experiment where subjects were asked to antedate a document. The checker was found to be able to produce evidence supporting a hypothesis that the document was antedated.