Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Strategies and Challenges of Timestamp Tampering for Improved Digital Forensic Event Reconstruction (extended version)

Céline Vanini, Jan Gruber, Christopher Hargreaves, Zinaida Benenson, Felix Freiling, Frank Breitinger

TL;DR

Timestamps drive digital forensic event reconstruction but are vulnerable to manipulation on live systems, risking incorrect conclusions. The authors conduct a qualitative study with advanced students performing live tampering to understand attacker strategies, traces left by tampering, and the constraints shaping actions. They identify a pivot-based tampering strategy, reveal three approaches to handling second-order traces (clandestine, tampering-focused, mixed), and propose tamper-resistance factors across artifact layers, including integrity checks and remote data dependencies, to assess evidence reliability via a preliminary C-Scale framework. The findings illuminate the practical difficulty of producing perfect forgeries on live systems and offer guidance to improve artifact evaluation and event reconstruction in digital forensics.

Abstract

Timestamps play a pivotal role in digital forensic event reconstruction, but due to their non-essential nature, tampering or manipulation of timestamps is possible by users in multiple ways, even on running systems. This has a significant effect on the reliability of the results from applying a timeline analysis as part of an investigation. In this paper, we investigate the problem of users tampering with timestamps on a running (``live'') system. While prior work has shown that digital evidence tampering is hard, we focus on the question of \emph{why} this is so. By performing a qualitative user study with advanced university students, we observe, for example, a commonly applied multi-step approach in order to deal with second-order traces (traces of traces). We also derive factors that influence the reliability of successful tampering, such as the individual knowledge about temporal traces, and technical restrictions to change them. These insights help to assess the reliability of timestamps from individual artifacts that are relied on for event reconstruction and subsequently reduce the risk of incorrect event reconstruction during investigations.

Strategies and Challenges of Timestamp Tampering for Improved Digital Forensic Event Reconstruction (extended version)

TL;DR

Timestamps drive digital forensic event reconstruction but are vulnerable to manipulation on live systems, risking incorrect conclusions. The authors conduct a qualitative study with advanced students performing live tampering to understand attacker strategies, traces left by tampering, and the constraints shaping actions. They identify a pivot-based tampering strategy, reveal three approaches to handling second-order traces (clandestine, tampering-focused, mixed), and propose tamper-resistance factors across artifact layers, including integrity checks and remote data dependencies, to assess evidence reliability via a preliminary C-Scale framework. The findings illuminate the practical difficulty of producing perfect forgeries on live systems and offer guidance to improve artifact evaluation and event reconstruction in digital forensics.

Abstract

Timestamps play a pivotal role in digital forensic event reconstruction, but due to their non-essential nature, tampering or manipulation of timestamps is possible by users in multiple ways, even on running systems. This has a significant effect on the reliability of the results from applying a timeline analysis as part of an investigation. In this paper, we investigate the problem of users tampering with timestamps on a running (``live'') system. While prior work has shown that digital evidence tampering is hard, we focus on the question of \emph{why} this is so. By performing a qualitative user study with advanced university students, we observe, for example, a commonly applied multi-step approach in order to deal with second-order traces (traces of traces). We also derive factors that influence the reliability of successful tampering, such as the individual knowledge about temporal traces, and technical restrictions to change them. These insights help to assess the reliability of timestamps from individual artifacts that are relied on for event reconstruction and subsequently reduce the risk of incorrect event reconstruction during investigations.
Paper Structure (36 sections, 2 figures, 2 tables)

This paper contains 36 sections, 2 figures, 2 tables.

Table of Contents

  1. Introduction
  2. Related Work
  3. A Qualitative Look at Live Tampering
  4. Contributions
  5. Paper Outlook
  6. User study design
  7. Participants
  8. Scenario of the tampering task
  9. Pre-tampering questionnaire
  10. Tampering task
  11. Post-tampering questionnaire
  12. Interviews
  13. Ethics
  14. Data analysis
  15. Limitations
  16. ...and 21 more sections

Figures (2)

  • Figure 1: Artificial sequence of events $E_1-E_4$ imagined for the tampering task.
  • Figure 2: Sequence of manipulations. Participants are represented by lines that follow the horizontal manipulation sequence, while the vertical axis indicates manipulated objects.