Open Access

Céline Vanini, Jan Gruber, Christopher Hargreaves, Zinaida Benenson, Felix Freiling, Frank Breitinger

• Timestamps play a pivotal role in digital forensic event reconstruction, but due to their non-essential nature, tampering or manipulation of timestamps is possible by users in multiple ways, even on running systems. This has a significant effect on the reliability of the results from applying a timeline analysis as part of an investigation. We investigate the problem of users tampering with timestamps on a running (“live”) system. While prior work has shown that digital evidence tampering is hard, we focus on the question of why this is so. By performing a qualitative user study with advanced university students, we derive factors that influence the reliability of successful tampering, such as the individual knowledge about temporal traces, and technical restrictions to change them. These insights help to assess the reliability of timestamps from individual artifacts that are used for event reconstruction and subsequently reduce the risk of misinterpretations.