Loading…

Beyond timestamps: Integrating implicit timing information into digital forensic timelines

Generating timelines, i.e., sorting events by their respective timestamps, is an essential technique commonly used in digital forensic investigations. But timestamps are not the only source of timing information. For example, sequence numbers embedded in databases or positional information, such as...

Full description

Saved in:

Bibliographic Details
Published in:	Forensic science international. Digital investigation (Online) 2024-07, Vol.49, p.301755, Article 301755
Main Authors:	Dreier, Lisa Marie, Vanini, Céline, Hargreaves, Christopher J., Breitinger, Frank, Freiling, Felix
Format:	Article
Language:	English
Subjects:	Implicit timing information Logical clocks Relative ordering Timelining
Citations:	Items that this one cites
Online Access:	Get full text
Tags:	Add Tag No Tags, Be the first to tag this record!

cited_by
cites	cdi_FETCH-LOGICAL-c183t-86a52582e91b03d56813769370c5b4a2aa6d85ef6124a46944f4faf7eaf483d23
container_end_page
container_issue
container_start_page	301755
container_title	Forensic science international. Digital investigation (Online)
container_volume	49
creator	Dreier, Lisa Marie Vanini, Céline Hargreaves, Christopher J. Breitinger, Frank Freiling, Felix
description	Generating timelines, i.e., sorting events by their respective timestamps, is an essential technique commonly used in digital forensic investigations. But timestamps are not the only source of timing information. For example, sequence numbers embedded in databases or positional information, such as the line numbers in log files, often contain implicit information about the order of events without directly referencing a timestamp. We present a method that can integrate such timing information into digital forensic timelines by separating sources of timing information into distinct time domains, each with its own timeline, and then connecting these timelines based on relations observed within digital evidence. The classical “flat” timeline is thereby extended into a “rich” partial order, which we call hyper timeline. Our technique allows ordering of events without timestamps and opens a rich set of possibilities to identify and characterize timestamp inconsistencies, e.g., those that arise from timestamp tampering.
doi_str_mv	10.1016/j.fsidi.2024.301755
format	article
fullrecord	<record><control><sourceid>elsevier_cross</sourceid><recordid>TN_cdi_crossref_primary_10_1016_j_fsidi_2024_301755</recordid><sourceformat>XML</sourceformat><sourcesystem>PC</sourcesystem><els_id>S266628172400074X</els_id><sourcerecordid>S266628172400074X</sourcerecordid><originalsourceid>FETCH-LOGICAL-c183t-86a52582e91b03d56813769370c5b4a2aa6d85ef6124a46944f4faf7eaf483d23</originalsourceid><addsrcrecordid>eNp9kE1LAzEQhvegYKn9BV72D-ya700FD1r8KBS86MVLSJNJmbKbLUkQ-u_dtp49zcw7874MT1XdUdJSQtX9vg0ZPbaMMNFyQjspr6oZU0o1TNPuplrkvCeEcEapZnJWfT_DcYy-LjhALnY45Id6HQvski0YdzUOhx4dltPBeY5hTMO0G-PUl7H2uMNi-3qSIWZ056QeI-Tb6jrYPsPir86rr9eXz9V7s_l4W6-eNo2jmpdGKyuZ1AyWdEu4l0pT3qkl74iTW2GZtcprCUFRJqxQSyGCCDZ0YIPQ3DM-r_gl16Ux5wTBHBIONh0NJeZExezNmYo5UTEXKpPr8eKC6bUfhGSyQ4gOPCZwxfgR__X_AmRUb3I</addsrcrecordid><sourcetype>Aggregation Database</sourcetype><iscdi>true</iscdi><recordtype>article</recordtype></control><display><type>article</type><title>Beyond timestamps: Integrating implicit timing information into digital forensic timelines</title><source>ScienceDirect</source><creator>Dreier, Lisa Marie ; Vanini, Céline ; Hargreaves, Christopher J. ; Breitinger, Frank ; Freiling, Felix</creator><creatorcontrib>Dreier, Lisa Marie ; Vanini, Céline ; Hargreaves, Christopher J. ; Breitinger, Frank ; Freiling, Felix</creatorcontrib><description>Generating timelines, i.e., sorting events by their respective timestamps, is an essential technique commonly used in digital forensic investigations. But timestamps are not the only source of timing information. For example, sequence numbers embedded in databases or positional information, such as the line numbers in log files, often contain implicit information about the order of events without directly referencing a timestamp. We present a method that can integrate such timing information into digital forensic timelines by separating sources of timing information into distinct time domains, each with its own timeline, and then connecting these timelines based on relations observed within digital evidence. The classical “flat” timeline is thereby extended into a “rich” partial order, which we call hyper timeline. Our technique allows ordering of events without timestamps and opens a rich set of possibilities to identify and characterize timestamp inconsistencies, e.g., those that arise from timestamp tampering.</description><identifier>ISSN: 2666-2817</identifier><identifier>DOI: 10.1016/j.fsidi.2024.301755</identifier><language>eng</language><publisher>Elsevier Ltd</publisher><subject>Implicit timing information ; Logical clocks ; Relative ordering ; Timelining</subject><ispartof>Forensic science international. Digital investigation (Online), 2024-07, Vol.49, p.301755, Article 301755</ispartof><rights>2024 The Author(s)</rights><lds50>peer_reviewed</lds50><oa>free_for_read</oa><woscitedreferencessubscribed>false</woscitedreferencessubscribed><cites>FETCH-LOGICAL-c183t-86a52582e91b03d56813769370c5b4a2aa6d85ef6124a46944f4faf7eaf483d23</cites><orcidid>0000-0001-5261-4600 ; 0009-0009-8462-389X ; 0000-0002-8279-8401</orcidid></display><links><openurl>$$Topenurl_article</openurl><openurlfulltext>$$Topenurlfull_article</openurlfulltext><thumbnail>$$Tsyndetics_thumb_exl</thumbnail><linktohtml>$$Uhttps://www.sciencedirect.com/science/article/pii/S266628172400074X$$EHTML$$P50$$Gelsevier$$Hfree_for_read</linktohtml><link.rule.ids>314,778,782,3538,27907,27908,45763</link.rule.ids></links><search><creatorcontrib>Dreier, Lisa Marie</creatorcontrib><creatorcontrib>Vanini, Céline</creatorcontrib><creatorcontrib>Hargreaves, Christopher J.</creatorcontrib><creatorcontrib>Breitinger, Frank</creatorcontrib><creatorcontrib>Freiling, Felix</creatorcontrib><title>Beyond timestamps: Integrating implicit timing information into digital forensic timelines</title><title>Forensic science international. Digital investigation (Online)</title><description>Generating timelines, i.e., sorting events by their respective timestamps, is an essential technique commonly used in digital forensic investigations. But timestamps are not the only source of timing information. For example, sequence numbers embedded in databases or positional information, such as the line numbers in log files, often contain implicit information about the order of events without directly referencing a timestamp. We present a method that can integrate such timing information into digital forensic timelines by separating sources of timing information into distinct time domains, each with its own timeline, and then connecting these timelines based on relations observed within digital evidence. The classical “flat” timeline is thereby extended into a “rich” partial order, which we call hyper timeline. Our technique allows ordering of events without timestamps and opens a rich set of possibilities to identify and characterize timestamp inconsistencies, e.g., those that arise from timestamp tampering.</description><subject>Implicit timing information</subject><subject>Logical clocks</subject><subject>Relative ordering</subject><subject>Timelining</subject><issn>2666-2817</issn><fulltext>true</fulltext><rsrctype>article</rsrctype><creationdate>2024</creationdate><recordtype>article</recordtype><recordid>eNp9kE1LAzEQhvegYKn9BV72D-ya700FD1r8KBS86MVLSJNJmbKbLUkQ-u_dtp49zcw7874MT1XdUdJSQtX9vg0ZPbaMMNFyQjspr6oZU0o1TNPuplrkvCeEcEapZnJWfT_DcYy-LjhALnY45Id6HQvski0YdzUOhx4dltPBeY5hTMO0G-PUl7H2uMNi-3qSIWZ056QeI-Tb6jrYPsPir86rr9eXz9V7s_l4W6-eNo2jmpdGKyuZ1AyWdEu4l0pT3qkl74iTW2GZtcprCUFRJqxQSyGCCDZ0YIPQ3DM-r_gl16Ux5wTBHBIONh0NJeZExezNmYo5UTEXKpPr8eKC6bUfhGSyQ4gOPCZwxfgR__X_AmRUb3I</recordid><startdate>202407</startdate><enddate>202407</enddate><creator>Dreier, Lisa Marie</creator><creator>Vanini, Céline</creator><creator>Hargreaves, Christopher J.</creator><creator>Breitinger, Frank</creator><creator>Freiling, Felix</creator><general>Elsevier Ltd</general><scope>6I.</scope><scope>AAFTH</scope><scope>AAYXX</scope><scope>CITATION</scope><orcidid>https://orcid.org/0000-0001-5261-4600</orcidid><orcidid>https://orcid.org/0009-0009-8462-389X</orcidid><orcidid>https://orcid.org/0000-0002-8279-8401</orcidid></search><sort><creationdate>202407</creationdate><title>Beyond timestamps: Integrating implicit timing information into digital forensic timelines</title><author>Dreier, Lisa Marie ; Vanini, Céline ; Hargreaves, Christopher J. ; Breitinger, Frank ; Freiling, Felix</author></sort><facets><frbrtype>5</frbrtype><frbrgroupid>cdi_FETCH-LOGICAL-c183t-86a52582e91b03d56813769370c5b4a2aa6d85ef6124a46944f4faf7eaf483d23</frbrgroupid><rsrctype>articles</rsrctype><prefilter>articles</prefilter><language>eng</language><creationdate>2024</creationdate><topic>Implicit timing information</topic><topic>Logical clocks</topic><topic>Relative ordering</topic><topic>Timelining</topic><toplevel>peer_reviewed</toplevel><toplevel>online_resources</toplevel><creatorcontrib>Dreier, Lisa Marie</creatorcontrib><creatorcontrib>Vanini, Céline</creatorcontrib><creatorcontrib>Hargreaves, Christopher J.</creatorcontrib><creatorcontrib>Breitinger, Frank</creatorcontrib><creatorcontrib>Freiling, Felix</creatorcontrib><collection>ScienceDirect Open Access Titles</collection><collection>Elsevier:ScienceDirect:Open Access</collection><collection>CrossRef</collection><jtitle>Forensic science international. Digital investigation (Online)</jtitle></facets><delivery><delcategory>Remote Search Resource</delcategory><fulltext>fulltext</fulltext></delivery><addata><au>Dreier, Lisa Marie</au><au>Vanini, Céline</au><au>Hargreaves, Christopher J.</au><au>Breitinger, Frank</au><au>Freiling, Felix</au><format>journal</format><genre>article</genre><ristype>JOUR</ristype><atitle>Beyond timestamps: Integrating implicit timing information into digital forensic timelines</atitle><jtitle>Forensic science international. Digital investigation (Online)</jtitle><date>2024-07</date><risdate>2024</risdate><volume>49</volume><spage>301755</spage><pages>301755-</pages><artnum>301755</artnum><issn>2666-2817</issn><abstract>Generating timelines, i.e., sorting events by their respective timestamps, is an essential technique commonly used in digital forensic investigations. But timestamps are not the only source of timing information. For example, sequence numbers embedded in databases or positional information, such as the line numbers in log files, often contain implicit information about the order of events without directly referencing a timestamp. We present a method that can integrate such timing information into digital forensic timelines by separating sources of timing information into distinct time domains, each with its own timeline, and then connecting these timelines based on relations observed within digital evidence. The classical “flat” timeline is thereby extended into a “rich” partial order, which we call hyper timeline. Our technique allows ordering of events without timestamps and opens a rich set of possibilities to identify and characterize timestamp inconsistencies, e.g., those that arise from timestamp tampering.</abstract><pub>Elsevier Ltd</pub><doi>10.1016/j.fsidi.2024.301755</doi><orcidid>https://orcid.org/0000-0001-5261-4600</orcidid><orcidid>https://orcid.org/0009-0009-8462-389X</orcidid><orcidid>https://orcid.org/0000-0002-8279-8401</orcidid><oa>free_for_read</oa></addata></record>
fulltext	fulltext
identifier	ISSN: 2666-2817
ispartof	Forensic science international. Digital investigation (Online), 2024-07, Vol.49, p.301755, Article 301755
issn	2666-2817
language	eng
recordid	cdi_crossref_primary_10_1016_j_fsidi_2024_301755
source	ScienceDirect
subjects	Implicit timing information Logical clocks Relative ordering Timelining
title	Beyond timestamps: Integrating implicit timing information into digital forensic timelines
url	http://sfxeu10.hosted.exlibrisgroup.com/loughborough?ctx_ver=Z39.88-2004&ctx_enc=info:ofi/enc:UTF-8&ctx_tim=2025-01-17T02%3A28%3A47IST&url_ver=Z39.88-2004&url_ctx_fmt=infofi/fmt:kev:mtx:ctx&rfr_id=info:sid/primo.exlibrisgroup.com:primo3-Article-elsevier_cross&rft_val_fmt=info:ofi/fmt:kev:mtx:journal&rft.genre=article&rft.atitle=Beyond%20timestamps:%20Integrating%20implicit%20timing%20information%20into%20digital%20forensic%20timelines&rft.jtitle=Forensic%20science%20international.%20Digital%20investigation%20(Online)&rft.au=Dreier,%20Lisa%20Marie&rft.date=2024-07&rft.volume=49&rft.spage=301755&rft.pages=301755-&rft.artnum=301755&rft.issn=2666-2817&rft_id=info:doi/10.1016/j.fsidi.2024.301755&rft_dat=%3Celsevier_cross%3ES266628172400074X%3C/elsevier_cross%3E%3Cgrp_id%3Ecdi_FETCH-LOGICAL-c183t-86a52582e91b03d56813769370c5b4a2aa6d85ef6124a46944f4faf7eaf483d23%3C/grp_id%3E%3Coa%3E%3C/oa%3E%3Curl%3E%3C/url%3E&rft_id=info:oai/&rft_id=info:pmid/&rfr_iscdi=true