The importance of date/time accuracy in digital forensics

When analysing web browser history the date and time that a particular action occurred can be just as important as the action itself. For example, you may be analysing history on a device that multiple people have access to and the exact time a particular action occurred could make all the difference.

Over a decade ago I was working on a digital forensics case which involved someone attempting to post a package containing class A drugs into the UK. The package was stopped and examined at the border and a controlled delivery was carried out at the destination address. Upon signing for and receiving the package the accused was promptly arrested and later that day their computer were seized as part of the operation.

The prosecution's case was based largely on a single internet history record recovered from the computer. Specifically a Google search for "prison sentence for illegal importation of drugs" conducted hours before the controlled delivery was carried out and the arrest was made. This one record constituted as evidence that the suspect was researching the penalty for importing illegal drugs before the package arrived and likely had knowledge of the package in transit.

After further analysis it was discovered that the record recovered was in fact two deleted partial internet history records that had been erroneously joined together to form a single record. The Google search was not associated with the date and time that had been reported by the forensic tool being used. In fact the Google search was most likely to have been conducted hours after the arrest had been made but before the computer had been seized. The wife of the suspect had been Googling the penalty for importation of illegal of drugs after her husband had been arrested.

This information obviously had a huge impact on the findings of the investigation for both the prosecution and defence. Not only does this highlight the importance of dates and times in investigations but also how their accuracy can be crucial.

How timestamps are stored in internet history

Most web browsers store timestamps in a similar format. They will usually be stored as the units of time that have passed since a particular date (known as the epoch).

For example, a common format used is the number of seconds that have passed since 1/1/1970 00:00:00 (known as Unix time). In this format 11th October 2016 15:30:45 would be represented as 1476199845.

The table below shows the various epoch dates and units of time used by the main desktop browsers.

Epoch DateUnit of TimeNameWeb Browsers
1/1/1601 00:00:00100-nanosecond intervalsWindows file timeInternet Explorer, Edge
1/1/1601 00:00:00MicrosecondsChrome
1/1/1970 00:00:00MicrosecondsMozilla PRTimeFirefox
1/1/1970 00:00:00MillisecondsFirefox
1/1/1970 00:00:00SecondsUnix timeChrome, Firefox

To further complicate matters web browsers have changed the formats they use over time, for example switching between different epochs from one version of the browser to the next.

Most timestamps recorded by web browsers are stored with respect to UTC. Therefore, when analysing internet history it can be useful to convert timestamps to the local time zone. If you consider the investigation we discussed where an internet search took place after a suspect was arrested but before their computer was seized. In this case it was very important to analyse the timestamps with respect to the local time zone, to determine exactly when certain actions took place. Not only do we need to consider the time zone but also if daylight saving time (DST) is in effect.

All the complexities of processing timestamps are handled for you when analysing internet history using Browser History Examiner. Timestamps are automatically parsed and can be easily sorted and filtered on.

The interactive timeline allows you to easily focus on records within a particular period of time.

All parsed timestamps can be automatically converted to the desired time zone. In addition to this the user can apply DST settings, either manually or using the preconfigured settings for the UK or US.

To try this out for yourself, visit our Downloads page for a free trial of Browser History Examiner.