Time Bounding Event Reasoning in Computer Forensic

Abstract

Timestamps are widely used in computing and offer an easy way to determine the time of events in digital investigations. Unfortunately, the ability of users to change clock settings, the difficult to recover the multi-level overwriting data in a disk, etc. can not provide the efficient timestamp for event reasoning. In this paper, we present techniques to use lay technique to deal with the time of a file on local machine, even its data block of a file had been re-written many times or deleted long ago, and adopt the time offset mechanism to deal with the deviation time of the file at time t. Use a logging mechanism to record the time of modifications to each disk block and its deviation time at time t to calculate the real time of a file for reasoning the order of the events and obtaining a timeline of activities on a file.