Advertisement

Timestamp Analysis for Quality Validation of Network Forensic Data

  • Nikolai HamptonEmail author
  • Zubair A. Baig
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 9955)

Abstract

Digital forensics is a fast-evolving field of study in contemporary times. One of the challenges of forensic analysis is the quality of evidence captured from computing devices and networks involved in a crime. The credibility of forensic evidence is dependent on the accuracy of established timelines of captured events. Despite the rising orders of magnitude in data volume captured by forensic analysts, the reliability and independence of the timing data source may be questionable due to the underlying network dynamics and the skew in the large number of intermediary system clocks that dictate packet time stamps. Through this paper, we propose a mechanism to verify the accuracy of forensic timing data through collaborative verification of forensic evidence obtained from multiple third party servers. The proposed scheme does analysis of HTTP response headers extracted from network packet capture (PCAP) files and validity testing of third party data through the application of statistical methods. We also develop a proof of concept universal time agreement protocol to independently verify timestamps generated by local logging servers and to provide a mechanism that may be adopted in digital forensics procedures.

Keywords

Virtual Machine Time Stamp Remote Server Forensic Evidence Digital Forensic 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.

References

  1. 1.
    Aitkinson, K.: Spell Checking Oriented Word Lists (SCOWL) (2016). http://wordlist.aspell.net/scowl-readme/
  2. 2.
    Apache Software Foundation: Apache HTTP Server Version 2.2 Configuration (2015). https://httpd.apache.org/docs/2.2/mod/mod_log_config.html#logformat
  3. 3.
    Burbank, J., Mills, D., Kasch, W.: Network Time Protocol Version 4: Protocol and Algorithms Specification, June 2010. https://tools.ietf.org/html/rfc5905
  4. 4.
    Butkiewicz, M., Madhyastha, H., Sekar, V.: Characterizing Web Page Complexity and Its Impact, June 2014Google Scholar
  5. 5.
    Casey, E., Rose, C.W.: Chapter 2 - Forensic Analysis (2010). http://www.sciencedirect.com/science/article/pii/B9780123742674000021
  6. 6.
    Fielding, R., Reschke, J.: Hypertext Transfer Protocol (HTTP/1.1): Semantics and Content, June 2014. https://tools.ietf.org/html/rfc7231#section-7.1.1.2
  7. 7.
    Gerhards, R.: RFC 5424 - The Syslog Protocol, March 2009. https://tools.ietf.org/html/rfc5424#section-6.2.3
  8. 8.
    Marangos, N., Rizomiliotis, P., Mitrou, L.: Time synchronization: pivotal element in cloud forensics, April 2016. http://onlinelibrary.wiley.com/doi/10.1002/sec.1056/abstract
  9. 9.
    Meyers, M., Rogers, M.: Computer forensics: the need for standardization and certification (2004). http://www.123seminarsonly.com/Seminar-Reports/044/59032742-Computer-Forensics.pdf
  10. 10.
    National Measurement Institute: Time and Frequency Dissemination Service (2016). http://www.measurement.gov.au/
  11. 11.
    Open Source Software: wbritish. https://packages.debian.org/sid/text/wbritish
  12. 12.
    R Core Team: R: A Language and Environment for Statistical Computing (2015). https://www.R-project.org/
  13. 13.
    Scientific Working Group on Digital Evidence: SWGDE recommended guidelines for validation testing, September 2014. https://www.swgde.org/
  14. 14.
    Bratus, S., Lembree, A., Shubina, A.: Software on the Witness Stand: What Should it Take for us to Trust it? http://www.cs.dartmouth.edu/~sergey/trusting-e-evidence.pdf
  15. 15.
    Smith, S.P., Perrit, H.J., Krent, H., Mencik, S., Crider, J.A., Shyong, M., Reyonalds, L.L.: Independent Review of the Carnivore System, November 2000. https://www.justice.gov/archive/jmd/carnivore_draft_1.pdf
  16. 16.
    Stevens, M.W.: Unification of relative time frames for digital forensics, September 2004. http://www.sciencedirect.com/science/article/pii/S174228760400057X
  17. 17.
  18. 18.
    Wireshark.org: FileFormatReference/libpcap - The Wireshark Wiki (2008). https://wiki.wireshark.org/FileFormatReference/libpcap

Copyright information

© Springer International Publishing AG 2016

Authors and Affiliations

  1. 1.Edith Cowan UniversityJoondalupAustralia
  2. 2.School of Science & Security Research InstituteEdith Cowan UniversityJoondalupAustralia

Personalised recommendations