| Author(s) | Glenn Henderson |
| TR-Number | JMU-INFOSEC-TR-2009-001 |
| Abstract |
In the investigation of computer crimes time plays an important role. Files on a computer system are time-stamped, meaning as each file is modified, created, or accessed, the time at which these events happen is recorded. Investigators of computer crimes correlate these time-stamps to events on a computer system. Computer systems that have inaccurate clocks make it difficult for an investigator to perform time-event correlation. A successful correlation depends upon time-stamps and corroborating evidence that can link events to times. Typical computers are built with inexpensive materials and as such have inaccurate clocks. The use of an inaccurate clock can be observed as a clock skew: the time reported by the clock degrades over time making the clock lag behind or move past real time.
A clock model represents how a computer clock behaves in it's reporting of time. The clock model includes all of the discrete time events in the clock's history. The difficultly in creating a complete clock model for forensic investigation is that it is difficult to interpret discrete time events and predict how a computer clock will behave in the future given the fact that computer clocks do not keep accurate time. This research introduces a categorization of clock descriptions, or how a clock behaves over time, for clock models to enable a forensic investigator to predict how a clock could potentially behave in the future, or how it may have behaved in the past. We approach this problem by analyzing a large collection of observed time offsets from real time for numerous web servers over a period of months. The observed offsets were collected using clockdiff, a utility that queries another computer for its current time. In this collection we noticed patterns that were repeated by multiple clock descriptions. Using these patterns we were able to create categories that describe the behavior of the clock descriptions through time. The result of this research is a categorization scheme for these clock descriptions. Based on this categorization scheme we developed a program that attempts an automatic categorization of clock descriptions. The categorization gives us a better understanding of how some computer clocks behave so that forensic investigators can make more accurate assumptions about interpreting time-stamped evidence in an investigation. |
| Sponsor | Prof. Florian Buchholz |
| Contact | e-mail techreports@cs.jmu.edu |