Live digital investigations are quite different from traditional postmortem investigations, in that they collect evidence that has both stateful and temporal characteristics. More like taking a photograph of a crime scene, live investigations require the investigators to testify more succinctly regarding the “when” of digital evidence collected.

Digital timestamps offer unique capabilities that can aid both live and traditional postmortem investigations. Digital timestamps provide more than the ability to mark content with time however, they also provide the ability to preserve the data integrity of digital evidence and provide time based non-repudiation.

[More:]

So what exactly is a timestamp and how does it differ from a one-way digital hash? One- way hash technologies, such as MD5 or SHA varieties generate unique mathematical signatures of digital data typically files, disk images, partial images, disk cylinders and/or sectors. These values when calculated provide a method of verifying that a certain piece of data has not changed since the initial hash was recorded. The one-way hash can be signed digitally binding the hash value with a digital certificate held by a specific user (typically a person). In this process a private key would be used to encrypt a digital hash which later could be validated using the associated published public key of the same certificate (person). In this way an investigator could perform the hash generation of a piece of digital evidence, sign the hash with their private key and then later the validation of the evidence could be accomplished by an independent 3rd party. All the 3rd party would require is the original evidence that was collected, the digital signature and the investigators associated public key. They would then independently generate the hash (same algorithm would be used i.e. MD5 or SHA variety originally used) and then check the digital signature against the newly generated hash using the public key. If validation is successful what can be proved is the following:

The digital evidence has not changed between the original hashing and the validation hashing.
The digital signature is valid (this requires the validation of certificate and certificate revocation list CRL)
The digital signature is bound to a specific digital certificate (typically associated with a person)
The weakness of this process still rests on “when” the original hash and signature was generated. By including time and date information within a digital signature we can provide proof of when a digital signature was issued. However, the problem is how to prove the time that was included inside the digital signature. In other words how do you prove the time source was indeed accurate, trusted and tamper proof? In most cases a trusted 3rd party actually provides a timestamp which is a digital signature that contains trusted and accurate time and date information. This allows the proving of when the digital signing occurred. The investigation software collects the evidence and requests a timestamp from a 3rd party timestamp service, and the 3rd party timestamp service returns a digital timestamp that can be validated any time in the future.

The trusted 3rd party operating a timestamp service will typically manage master atomic clocks and timestamp servers that are calibrated and audited by a national measurement institute. Since time is a man-made agreement, actually dating back to treaties between countries that allow us to operate under a synchronization of time for banking and other commerce. Time is specifically governed under the “treaty of meter” signed in 1875 by over a dozen countries that established the International Bureau of Weight and Measures in France to provide standards of measurement for use throughout the world. In later years the second is defined in terms of the decay of an atom of cesium.

National measurements institutes around the world provide a source of accurate time within 1012 or greater precision. These independent time sources are then synchronized around the world within a set of tier one clocks. Each of these clocks record time relevant to UTC (coordinated universal time). Time zones around the world are then referenced as positive or negative offsets from UTC based on their distance from the UTC. UTC time is also referred to by many military or commercial entities as Zulu Time. By working with one or more national measurement institutes trusted 3rd parties manage and operate master clocks that are both accurate and secure in order to timestamp documents, contracts and digital forensic evidence. Due to both the complexity and security required of such infrastructures the issuance of timestamps is typically provided for a small fee for each timestamp generated and additionally for future verification of issued timestamps. An individual could generate a timestamp, but the trustworthiness of the time source becomes onerous to prove.

You see the value of timestamp increases as the time from its issuance increases. For example, if you generate a timestamp of network map scanned today and validate it for someone tomorrow it has some intrinsic value. However, if you have to prove what the state of the network was 6 weeks, 6 months or even 6 years ago, a timestamp validating that evidence could become very valuable.

Within live investigations, memory snapshots, the state of a file system, the contents of a file, currently logged in users, the current running processes, the current running applications, installed device drivers, the state of system services, connections to remote hosts, open file handles, recent web activity, the state of certain cookies, file system blueprint or even the current state of the desktop could benefit from a secure digital timestamp. This information is by its very nature temporal and, as a result, has unique requirements for maintaining integrity. Time stamping live investigation evidence at the point of collection adds a significant level of integrity to the evidence and to the overall live collection process.

Timestamps offer the unique capability to both preserve the integrity of evidence and provide non-repudiation of live evidence. Thus combining secure digital timestamps during live investigation can offer substantial proof regarding the who, what and when of the live digital evidence collected.