Abstract
Digital forensics is a fast-evolving field of study in contemporary times. One of the challenges of forensic analysis is the quality of evidence captured from computing devices and networks involved in a crime. The credibility of forensic evidence is dependent on the accuracy of established timelines of captured events. Despite the rising orders of magnitude in data volume captured by forensic analysts, the reliability and independence of the timing data source may be questionable due to the underlying network dynamics and the skew in the large number of intermediary system clocks that dictate packet time stamps. Through this paper, we propose a mechanism to verify the accuracy of forensic timing data through collaborative verification of forensic evidence obtained from multiple third party servers. The proposed scheme does analysis of HTTP response headers extracted from network packet capture (PCAP) files and validity testing of third party data through the application of statistical methods. We also develop a proof of concept universal time agreement protocol to independently verify timestamps generated by local logging servers and to provide a mechanism that may be adopted in digital forensics procedures.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Aitkinson, K.: Spell Checking Oriented Word Lists (SCOWL) (2016). http://wordlist.aspell.net/scowl-readme/
Apache Software Foundation: Apache HTTP Server Version 2.2 Configuration (2015). https://httpd.apache.org/docs/2.2/mod/mod_log_config.html#logformat
Burbank, J., Mills, D., Kasch, W.: Network Time Protocol Version 4: Protocol and Algorithms Specification, June 2010. https://tools.ietf.org/html/rfc5905
Butkiewicz, M., Madhyastha, H., Sekar, V.: Characterizing Web Page Complexity and Its Impact, June 2014
Casey, E., Rose, C.W.: Chapter 2 - Forensic Analysis (2010). http://www.sciencedirect.com/science/article/pii/B9780123742674000021
Fielding, R., Reschke, J.: Hypertext Transfer Protocol (HTTP/1.1): Semantics and Content, June 2014. https://tools.ietf.org/html/rfc7231#section-7.1.1.2
Gerhards, R.: RFC 5424 - The Syslog Protocol, March 2009. https://tools.ietf.org/html/rfc5424#section-6.2.3
Marangos, N., Rizomiliotis, P., Mitrou, L.: Time synchronization: pivotal element in cloud forensics, April 2016. http://onlinelibrary.wiley.com/doi/10.1002/sec.1056/abstract
Meyers, M., Rogers, M.: Computer forensics: the need for standardization and certification (2004). http://www.123seminarsonly.com/Seminar-Reports/044/59032742-Computer-Forensics.pdf
National Measurement Institute: Time and Frequency Dissemination Service (2016). http://www.measurement.gov.au/
Open Source Software: wbritish. https://packages.debian.org/sid/text/wbritish
R Core Team: R: A Language and Environment for Statistical Computing (2015). https://www.R-project.org/
Scientific Working Group on Digital Evidence: SWGDE recommended guidelines for validation testing, September 2014. https://www.swgde.org/
Bratus, S., Lembree, A., Shubina, A.: Software on the Witness Stand: What Should it Take for us to Trust it? http://www.cs.dartmouth.edu/~sergey/trusting-e-evidence.pdf
Smith, S.P., Perrit, H.J., Krent, H., Mencik, S., Crider, J.A., Shyong, M., Reyonalds, L.L.: Independent Review of the Carnivore System, November 2000. https://www.justice.gov/archive/jmd/carnivore_draft_1.pdf
Stevens, M.W.: Unification of relative time frames for digital forensics, September 2004. http://www.sciencedirect.com/science/article/pii/S174228760400057X
US-CERT: Computer Forensics (2008). https://www.uscert.gov/sites/default/files/publications/forensics.pdf
Wireshark.org: FileFormatReference/libpcap - The Wireshark Wiki (2008). https://wiki.wireshark.org/FileFormatReference/libpcap
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2016 Springer International Publishing AG
About this paper
Cite this paper
Hampton, N., Baig, Z.A. (2016). Timestamp Analysis for Quality Validation of Network Forensic Data. In: Chen, J., Piuri, V., Su, C., Yung, M. (eds) Network and System Security. NSS 2016. Lecture Notes in Computer Science(), vol 9955. Springer, Cham. https://doi.org/10.1007/978-3-319-46298-1_16
Download citation
DOI: https://doi.org/10.1007/978-3-319-46298-1_16
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-46297-4
Online ISBN: 978-3-319-46298-1
eBook Packages: Computer ScienceComputer Science (R0)