IntroductionIn a forensic examination, establishing the time zone from the suspect system is one of the first tasks for a forensic examiner. If this information is not established at an early stage and taken into account, then the validity of all date/time values may be brought into question due to the way operating systems and browser applications store date/time information.
Operating systems and browser applications store date/time information in different ways using a variety of different timestamp formats. Many timestamps are stored in UTC, and then converted to local time when presented to the user, and some are stored in local time. It is therefore extremely important to establish the correct time zone setting for the system to correctly convert these timestamps.
Universal Coordinated Time
Coordinated Universal Time (UTC) is the international standard upon which civil time is based and by which the world regulates time.
UTC is based upon UT1, which is the time determined by the rotation of the Earth. In accordance with international agreement, UTC and UT1 are not permitted to differ by more than 0.9 of a second. When it appears that the difference is approaching this limit, a one second change is introduced to bring the two back into alignment. On average, this occurs once every 12 - 18 months. Since the 1st January 1972, there have been 24 positive leap second adjustments.
UTC is the time standard used for many Internet and World Wide Web protocols. The Network Time Protocol (NTP) is designed to synchronise clocks and computers over the Internet and encodes time using the UTC system. It is widely used as it avoids confusion with time zones and daylight saving changes.
Each local time is represented as an offset from UTC, with some zones making adjustments during the year for daylight saving.
Greenwich Mean Time is a widely used historical term, however, due to ambiguity, its use is no longer recommended in technical contexts.
Daylight Saving and Standard Time
UTC does not change with a change of seasons; however, local time or civil time may change if a time zone jurisdiction observes Daylight Saving Time or summer time. For example, UTC is 5 hours ahead of local time on the east coast of the United States during the winter but 4 hours ahead during the summer. Not all time zones observe daylight saving.
To deal with the numerous time zone changes throughout the world, Microsoft periodically release a time zone update to accommodate Daylight Saving Time (DST) changes in several countries.
NetAnalysis uses Dynamic Daylight Saving information when converting UTC dates to local time and vice versa.
How NetAnalysis deals with Time Zones
NetAnalysis provides the forensic examiner with the necessary tools to automatically convert UTC timestamps to local time (and vice versa) during import. It is extremely important that NetAnalysis is set to the time zone of the suspect system and not that of the forensic examiner’s workstation.
In some situations, you may discover browser records from multiple time zones. In this situation, it is difficult to accurately convert between UTC and local time. NetAnalysis has built-in functionality to easily deal with this scenario (see Dealing with Mixed Time Zone Data).
To access the time zone settings, select Tools » Options from the Tools menu. Figure 1 shows the Time Zone Settings page.
If the time zone of the suspect computer is not identified prior to extracting and viewing any Internet history or cache data then the date/time stamps may not be accurately represented! You MUST establish the correct settings prior to importing any data.