Update Thresholds of More Accurate Time Stamp for Event Reconstruction

Abstract

Many systems rely on reliable timestamps to determine the time of a particular action or event. This is especially true in digital investigations where investigators are attempting to determine when a suspect actually committed an action. The challenge, however, is that objects are not updated at the exact moment that an event occurs, but within some time-span after the actual event. In this work we define a simple model of digital systems with objects that have associated timestamps. The model is used to predict object update patterns for objects with associated timestamps, and make predictions about these update time-spans. Through empirical studies of digital systems, we show that timestamp update patterns are not instantaneous. We then provide a method for calculating the distribution of timestamp updates on a particular system to determine more accurate action instance times.