Timestamp analysis for quality validation of network forensic data
Document Type
Conference Proceeding
Publication Title
Network and System Security
Publisher
Springer Verlag
Place of Publication
Germany
School
School of Science / Security Research Institute
RAS ID
22182
Abstract
Digital forensics is a fast-evolving field of study in contemporary times. One of the challenges of forensic analysis is the quality of evidence captured from computing devices and networks involved in a crime. The credibility of forensic evidence is dependent on the accuracy of established timelines of captured events. Despite the rising orders of magnitude in data volume captured by forensic analysts, the reliability and independence of the timing data source may be questionable due to the underlying network dynamics and the skew in the large number of intermediary system clocks that dictate packet time stamps. Through this paper, we propose a mechanism to verify the accuracy of forensic timing data through collaborative verification of forensic evidence obtained from multiple third party servers. The proposed scheme does analysis of HTTP response headers extracted from network packet capture (PCAP) files and validity testing of third party data through the application of statistical methods. We also develop a proof of concept universal time agreement protocol to independently verify timestamps generated by local logging servers and to provide a mechanism that may be adopted in digital forensics procedures. © Springer International Publishing AG 2016.
DOI
10.1007/978-3-319-46298-1_16
Access Rights
subscription content
Comments
Hampton, N., & Baig, Z. A. (2016, September). Timestamp analysis for quality validation of network forensic data. In Network and System Security (pp. 235-248). Springer. Available here.