I was addressing an RTC that is undeniably out of synch, not one that isn't. As RTC is the basis of system time after power-on (unless you have other solutions) until a better time has been obtained from somewhere, you somehow need to address that – for example by documenting a conclusion that system timestamps between X and Y are not necessarily in synch with local time, and thus should not be relied on.
Or … you may say that RTC is unreliable, and so *all* timestamps after a power up until a NTP synch is unreliable. Unless, perhaps, the diff was smaller than some well-chosen limit. As long as you document it, so that readers of your report can evaluate it.
The RTC, at some point in time (which is the crucial point), is going to be the basis of system time.
However the "addressing" of that and "a conclusion that system timestamps between X and Y are not necessarily in synch with local time, and thus should not be relied on" is part of where I think the value is debateable. You could, with good reason, argue the timestamps in any historic period should not be relied upon absolutely, whether the RTC when examined was correct or not. This could be from deliberate actions causing the clock to be wrong historically at various points in time (in order to hide actions or place them deliberately at a different point). It could also be from inadvertent actions which have led the clock to be wrong at various points in time. Etc.
If you're simply documenting it, you're leaving it open to interpretation by others, as you say, who're almost certainly less technical or not best placed to weigh the significance. If you're drawing a conclusion that a correct RTC at the time of examination means historic times are likely to be reliable I'd argue that's simply wrong. If you're drawing a conclusion that a wrong RTC means historic timestamps will be unreliable, then we're back to the original problem, in that drawing inference from an RTC value at the time of examination is problematic, and therefore I'm skeptical of the value (other than as a prompt/justification for further investigation as mentioned in the previous post).
As I say, I'd probably still collect it, even if simply as a prompt for further investigation (when significantly wrong). Although I wouldn't say not doing so causes any issue either (and wouldn't go to the ends of the earth to do so, for example if there wasn't an easy way to do it for some reason, ie on a device with damaged hardware).
An interesting topic. I think it will keep me busy untill the end of times ^^
Indeed it will. Dates and times on digital devices are an absolute minefield.
Another quick point sometimes we collect evidence not because we personally will reference it as part of the case but because it maybe in the interests of the wider investigation.
As we have seen just in this thread, there is variation of opinion on how useful the BIOS time is. Just because the initial examiner does not think it has any value, perhaps they should record it as a matter of procedure, just in case another expert further down the line does indeed want to infer or interpret something from that information. By deciding not to gather this data during the initial exam, are we effectively making the decision on behalf of any future experts?
We don't do this with a forensic image (obviously, experts get to see everything) so perhaps the same should be said re the BIOS time? Just a thought….
Another quick point sometimes we collect evidence not because we personally will reference it as part of the case but because it maybe in the interests of the wider investigation.
As we have seen just in this thread, there is variation of opinion on how useful the BIOS time is. Just because the initial examiner does not think it has any value, perhaps they should record it as a matter of procedure, just in case another expert further down the line does indeed want to infer or interpret something from that information. By deciding not to gather this data during the initial exam, are we effectively making the decision on behalf of any future experts?
We don't do this with a forensic image (obviously, experts get to see everything) so perhaps the same should be said re the BIOS time? Just a thought….
It's a valid point.
Although, continuining to play devil's advocate, I suppose the counter to that might be that we do this all the time in some ways. Perhaps, for example, by handling exhibits that it might turn out an expert later wanted to fingerprint, and the original investigator/officer didn't. Or perhaps it's live memory, which I imagine not everyone captures as a matter of course (obviously in certain investigations that's going to be more likely than others).
Perhaps, if practical, it makes most sense to record the value in notes (for posterity), and not highlight/report it unless there's good reason to raise its prominence, in a more detailed elaboration of dates/times.