Title

Timestamp analysis for quality validation of network forensic data

Document Type

Conference Proceeding

Publisher

Springer Verlag

Place of Publication

Germany

School

School of Science / Security Research Institute

RAS ID

22182

Comments

Originally published as: Hampton, N., & Baig, Z. A. (2016, September). Timestamp analysis for quality validation of network forensic data. International Conference on Network and System Security 9955, 235-248. Available here.

Abstract

Digital forensics is a fast-evolving field of study in contemporary times. One of the challenges of forensic analysis is the quality of evidence captured from computing devices and networks involved in a crime. The credibility of forensic evidence is dependent on the accuracy of established timelines of captured events. Despite the rising orders of magnitude in data volume captured by forensic analysts, the reliability and independence of the timing data source may be questionable due to the underlying network dynamics and the skew in the large number of intermediary system clocks that dictate packet time stamps. Through this paper, we propose a mechanism to verify the accuracy of forensic timing data through collaborative verification of forensic evidence obtained from multiple third party servers. The proposed scheme does analysis of HTTP response headers extracted from network packet capture (PCAP) files and validity testing of third party data through the application of statistical methods. We also develop a proof of concept universal time agreement protocol to independently verify timestamps generated by local logging servers and to provide a mechanism that may be adopted in digital forensics procedures. © Springer International Publishing AG 2016.

DOI

10.1007/978-3-319-46298-1_16

Access Rights

Free to access

Share

 
COinS