Many Digital Examiner have discussed the importance of timeline analysis in an investigation, focusing on the Modify, Access and Creation date/time information. Some of the same Examiners have created detailed documents surrounding the timezone variable settings located in various config files and Registry files of systems.
While these are necessary, there is also a more elementary aspect to time — establishing an accurate baseline time-offset for the evidence device.
One of the worse scenarios I see, is when an Examiner is given a raw piece of digital media and told “this is it”… …this is the extent of the “evidence” you have to work with. While this fact can be documented it leaves much to-be-determined. For example, what time was the system’s realtime clock (RTC) set to at the time of acquisition? What was the time-offset as compared to a trusted time source? Was the system originally installed onto a system with a compromised time setting? In-other-words, how does the Examiner determine if the RTC was incorrectly set prior to the installation of an operating system? …whether intentional or not.
Recently I observed a forensic collection where the technician discounted the need to collect the BIOS time of an Wintel system. The troubling part is some of these systems had been reported to have been powered off for weeks, months and even years – so at least capturing the information could avoid future doubt.
I realize that some cases focus purely on content – ‘was it there-or-not is the only issue.’ “When?” never becomes a question. Understandable, but disappointing.
I submit that “time” is akin to the ‘red-headed stepchild’ – everyone knows it’s there, few realize the full value and contribution it can make.