UniTIME: Timestamp interpretation engine for developing unified timelines

Abstract

A critical part of many computer forensic investigations requires developing a unified timeline of activity from the timestamps of the artifacts involved, often involving digital artifacts from across multiple heterogeneous sources of evidence. However, generating such a timeline comes with its own set of challenges, especially if the provenance of the timestamps is not accurately recorded and tracked during an investigation. When sufficient provenance information is not recorded, it can result in inconsistent or ambiguous timelines. In this paper, we propose the Provenance Information Model to address challenges related to timestamp interpretation across multiple time zones and present a provenance structure to accurately capture time zone information and validate time related assertions during analysis. We have developed a prototype implementation of the model, the UniTIME digital time-lining tool, which generates a unified timeline of events derived from across multiple sources. Our tool adjusts the timestamps obtained from multiple heterogeneous evidence sources using the provenance information to generate a unified timeline. We have validated our model and its prototype implementation using the dataset associated with the DFRWS 2008 challenge which included multiple heterogeneous sources of digital evidence with inherent timestamp interpretation challenges. Results have shown that the model is robust with respect to different time zones and varied timestamp representations. Additionally, the assertions recorded when using our PIM can be useful in identifying inconsistencies across artifacts during forensic analysis and digital time-lining.