Timestamp Analysis for Quality Validation of Network Forensic Data

Hampton, Nikolai; Baig, Zubair A.

doi:10.1007/978-3-319-46298-1_16

Nikolai Hampton¹⁷ &
Zubair A. Baig¹⁸

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 9955))

Included in the following conference series:

International Conference on Network and System Security

1421 Accesses
1 Altmetric

Abstract

Digital forensics is a fast-evolving field of study in contemporary times. One of the challenges of forensic analysis is the quality of evidence captured from computing devices and networks involved in a crime. The credibility of forensic evidence is dependent on the accuracy of established timelines of captured events. Despite the rising orders of magnitude in data volume captured by forensic analysts, the reliability and independence of the timing data source may be questionable due to the underlying network dynamics and the skew in the large number of intermediary system clocks that dictate packet time stamps. Through this paper, we propose a mechanism to verify the accuracy of forensic timing data through collaborative verification of forensic evidence obtained from multiple third party servers. The proposed scheme does analysis of HTTP response headers extracted from network packet capture (PCAP) files and validity testing of third party data through the application of statistical methods. We also develop a proof of concept universal time agreement protocol to independently verify timestamps generated by local logging servers and to provide a mechanism that may be adopted in digital forensics procedures.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution

Chapter: USD 29.95; Price excludes VAT (USA)

eBook: USD 39.99; Price excludes VAT (USA)

Softcover Book: USD 54.99; Price excludes VAT (USA)

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

References

Aitkinson, K.: Spell Checking Oriented Word Lists (SCOWL) (2016). http://wordlist.aspell.net/scowl-readme/
Apache Software Foundation: Apache HTTP Server Version 2.2 Configuration (2015). https://httpd.apache.org/docs/2.2/mod/mod_log_config.html#logformat
Burbank, J., Mills, D., Kasch, W.: Network Time Protocol Version 4: Protocol and Algorithms Specification, June 2010. https://tools.ietf.org/html/rfc5905
Butkiewicz, M., Madhyastha, H., Sekar, V.: Characterizing Web Page Complexity and Its Impact, June 2014
Google Scholar
Casey, E., Rose, C.W.: Chapter 2 - Forensic Analysis (2010). http://www.sciencedirect.com/science/article/pii/B9780123742674000021
Google Scholar
Fielding, R., Reschke, J.: Hypertext Transfer Protocol (HTTP/1.1): Semantics and Content, June 2014. https://tools.ietf.org/html/rfc7231#section-7.1.1.2
Gerhards, R.: RFC 5424 - The Syslog Protocol, March 2009. https://tools.ietf.org/html/rfc5424#section-6.2.3
Marangos, N., Rizomiliotis, P., Mitrou, L.: Time synchronization: pivotal element in cloud forensics, April 2016. http://onlinelibrary.wiley.com/doi/10.1002/sec.1056/abstract
Meyers, M., Rogers, M.: Computer forensics: the need for standardization and certification (2004). http://www.123seminarsonly.com/Seminar-Reports/044/59032742-Computer-Forensics.pdf
National Measurement Institute: Time and Frequency Dissemination Service (2016). http://www.measurement.gov.au/
Open Source Software: wbritish. https://packages.debian.org/sid/text/wbritish
R Core Team: R: A Language and Environment for Statistical Computing (2015). https://www.R-project.org/
Scientific Working Group on Digital Evidence: SWGDE recommended guidelines for validation testing, September 2014. https://www.swgde.org/
Bratus, S., Lembree, A., Shubina, A.: Software on the Witness Stand: What Should it Take for us to Trust it? http://www.cs.dartmouth.edu/~sergey/trusting-e-evidence.pdf
Smith, S.P., Perrit, H.J., Krent, H., Mencik, S., Crider, J.A., Shyong, M., Reyonalds, L.L.: Independent Review of the Carnivore System, November 2000. https://www.justice.gov/archive/jmd/carnivore_draft_1.pdf
Stevens, M.W.: Unification of relative time frames for digital forensics, September 2004. http://www.sciencedirect.com/science/article/pii/S174228760400057X
US-CERT: Computer Forensics (2008). https://www.uscert.gov/sites/default/files/publications/forensics.pdf
Wireshark.org: FileFormatReference/libpcap - The Wireshark Wiki (2008). https://wiki.wireshark.org/FileFormatReference/libpcap

Download references

Author information

Authors and Affiliations

Edith Cowan University, Joondalup, Australia
Nikolai Hampton
School of Science & Security Research Institute, Edith Cowan University, Joondalup, Australia
Zubair A. Baig

Authors

Nikolai Hampton
View author publications
You can also search for this author in PubMed Google Scholar
Zubair A. Baig
View author publications
You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Nikolai Hampton .

Editor information

Editors and Affiliations

Central China Normal University , Wuhan, China
Jiageng Chen
Università degli Studi di Milano , Crema (CR), Italy
Vincenzo Piuri
Osaka University , Osaka, Japan
Chunhua Su
Columbia University , New York, New York, USA
Moti Yung

Rights and permissions

Reprints and permissions

Copyright information

About this paper

Cite this paper

Hampton, N., Baig, Z.A. (2016). Timestamp Analysis for Quality Validation of Network Forensic Data. In: Chen, J., Piuri, V., Su, C., Yung, M. (eds) Network and System Security. NSS 2016. Lecture Notes in Computer Science(), vol 9955. Springer, Cham. https://doi.org/10.1007/978-3-319-46298-1_16

Download citation

DOI: https://doi.org/10.1007/978-3-319-46298-1_16
Published: 21 September 2016
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-46297-4
Online ISBN: 978-3-319-46298-1
eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics