First published June 2010
by Sam Raincock, IT and telecommunications expert witness
– I know it was 13:05 because I looked at my watch
– I walked past the newsagents and it was open so it must have been after 13:30
– I had just had my lunch, watched the news and left at 13:40
Without looking at your watch/clock (or computer), what time is it? What time does your watch/clock say? What time is it really?
Just like humans, digital devices may tell the incorrect time. In fact, they often do. Hence, when analysing events, it is crucial to compare like with like, otherwise the chronology may become scrambled and the evidence contradictory. In this article, I will discuss the issue of accurate digital device time and some basic techniques to assist in questioning and approximating the correct timings.
Assessing time information in a case
Case information derived from systems that regulate their time may assist establishing an accurate chronology of events. Examples include the date and time of connections presented in mobile telephone connection records and the time of bank transactions. However, other evidence may not be so certain – for example, a satellite navigation unit? It may be assumed that the time information has been established from the GPS signal, however, is this known with certainty? Is it possible the time may have been taken from the settings of the device itself?
How devices implement and regulate their use of time determines if they are accurate. If the method used is not established and investigated, it is not possible to determine their accuracy.
It may sound obvious but how many of us write “at 14:45 a file was created on the desktop computer SR1”, “at 14:47 the CCTV captured the defendant” and “the telephone evidence is consistent with the telephone being located in Little Street at 14:55 but not at 14:46”. What does this all mean?
In my experience, when time evidence is collaborated, it can cause confusion and prove difficult to present a coherent case to a jury because the accuracies are unknown. Hence, it is important to qualify such time statements particularly with regard to significant events. This will hopefully result in an unambiguous timeline to demonstrate the events in a case.
Basic techniques for establishing an accurate computer time
When computers are examined, often their date and time settings are recorded and compared with current time. This may be used to calculate the difference between the two. This difference is then sometimes used as an offset and applied to all of the time evidence on the computer. However, this technique only establishes the accuracy of the date and time when the device was examined. It cannot alone state anything about the accuracy of actual events on the computer.
There are various techniques that may assist in determining the accuracy of date and time information on a computer or highlight that there may be date and time issues. For example:
1. Examining the computer to determine if it has synchronised with a time server (a computer which keeps an approximately accurate time) and assessing the change of time in between synchronisations.
2. Establishing evidence of a user changing their date and time settings manually.
3. Performing checks to establish if the date and time settings are consistent. For example, are there any emails which imply they have been replied to prior to being received? Modification date and time stamps before a file has been created?
4. Examining user access to websites containing date and time information. For example, auction information on eBay and Google cookies files. Note that some websites and cookies take their date and time from the local settings of the computer and hence would not be helpful.
Without establishing this information or other collaborating facts, an examiner is unable to state the accuracy of the computer’s time at a given period. This effectively means that all date and time information in their compiled reports are recorded time only.
Basic considerations for establishing an accurate telephone time
Mobile telephones also potentially suffer from time accuracy problems since the handset date and time is set and can be altered by a user. They are also susceptible to date and time resets when exposed to a lack of power. Hence, without further analysis, the date and time of a video captured on the telephone will reflect only when the handset recorded that it was captured.
To address the question of time accuracy on a telephone, it is sometimes possible, depending on the data available, to compare the data stored on the telephone with information in the connection records retained by the network provider. A pattern matching technique may be used between the two evidence sources which may assist in establishing a time offset for the mobile device. This offset may then be applied to the activity on the telephone around the same period.
When connection behaviour is charted using evidence from mobile telephones and connection records, it is necessary to consider the offset between the corresponding time sources. For example, if the chart contains both call information from a handset and the respective connection records, if the handset information is not adjusted, details of calls may be duplicated. This is potentially due to the same calls presenting a recorded time in the handset and an accurate time in the connection records. It is my experience, that this incorrect collaboration of evidence is frequently seen in connection charting and can misrepresent the actual connection behaviour.
CCTV – how long did the incident occur?
CCTV is frequently assumed to be utilising an accurate date and time, especially when the system is police/council monitored. However, this is not always correct. I have evaluated cases where the chronology of events has been misinterpreted, or the case has collapsed due to the CCTV time accuracy never being questioned and the issues in timing inconsistencies in the overall evidence remaining unresolved.
Additionally, since CCTV often visually time stamps its footage, it can make any date and time errors or explaining the possibilities of inaccuracies difficult for a jury to comprehend.
Furthermore, CCTV may be used to determine the timing of a captured event, for example, calculating the speed of a vehicle. Often, such calculations rely upon number of frames per second in the examined footage. However, when CCTV footage is analysed and examined it is often converted and manipulated to various formats. It is important that these processes do not change the frames per second or other attributes of the footage. Where this is unavoidable, an examiner would need to determine exactly what changes have occurred and factor these into any calculations. Otherwise, half the number of frames per second and your 30mph car is now traveling at 60mph!
It’s time to evaluate
When dealing with time, assume nothing and ask everything – compile your case questioning every last time!
P.S. What time did you leave home this morning? Are you sure it wasn’t 10 minutes before? Really sure?
Click here to discuss this article.
Sam Raincock Consultancy operates throughout the UK and Ireland providing IT and telecommunications expert witness services and IT security consultancy.
Sam specialises in the evaluation of digital evidence from the analysis of telephones to determining the functionality of software systems (and almost anything in-between). She also provides overview assessments of cases, considering different sources of evidence in the context of a whole incident to highlight inconsistencies particularly due to digital devices. Sam can be contact direct on +44 (0)1429 820131, [email protected] or http://www.raincock.co.uk.