Hi All.
I am new and have only recently started studying Digital Forensic.
I am doing a case study project, but I have a doubt about the time zone to set for my case.
Basically, I have to analyze an image of a PC disk found in a time zone for example A, but the photos of the crime were taken in a time zone for example B, and I (examiner) am in the time zone C.
What time zone should I set?
I thank anyone who clarifies this doubt.
Depends on where you found the timestamp and whether it's stored in UTC or the user's local time. Most are stored in UTC which makes it easy where you can just convert it to whatever timezone is appropriate for your investigation. If it's a local timestamp, it gets tricker where you'll have to determine the local settings of the computer but even then, those times might have changed when the photo was taken.
Ultimately you need more information to get a concise answer.
Jamie
Hi mcman,
Thank you for your explanation.
My timestamp is stored in UTC in fact.
But I don't understand one thing.
Isn't it easier to change the time zone with the local computer and only change the time for photos?
So I won't have to change the time in all my evidence provided by the computer.
Or could I have problems?
Unless I'm absolutely sure all relevant artifacts are in a single time zone, I will set my case/evidence to UTC. And then for my report I will convert timestamps as necessary if there are TZ differences to account for.
Be cognizant of the fact that just because a picture may have been taken in a different time zone, the timestamp you are looking at is likely a file system timestamp when that picture was placed on the computer. And that time zone may in fact be the same time zone as the computer itself.
What time zone should I set?
Where?
In general, your job is to be as clear as unambiguous as possible if your case has connections with other cases, it may be clearer to use the same time zone setting in all of them. In other cases, the local timezone is easier to grasp. And in cases where daylight savings settings affect time translation, UTC may be better (provided you can get it – if you can't you may cause problems by chosing it). That assumes that you don't have lots of local-time-zone-only timestamps …
However, you can't make a good decision unless you know how the setting you speak of affects you. That's why 'where' is an important question to answer.
Hi athulin.
When I have to build my timeline, I have to calculate the local time zone for each of my evidences that I have to analyse.
I thought that if I set the local time zone in Chicago, then I have to calculate only the time zone of the location where the photos were taken (which is different), instead of putting the UTC time zone and calculating for all evidences the time zone schedule. Does It work like this?
When I have to build my timeline, I have to calculate the local time zone for each of my evidences that I have to analyse.
In your particular case (which appears mainly educational), using local time (which I assume is Chicago time) is probably the best. Timelines impose relations between timestamps, and it is probably more clear to make them local. That assumes that the timestamps are such that they may be subject to double-checking with external, local timestamps – such as receipts from card purchases, cab fares, logs from other systems or evidence from local witnesses.
If there is significant activity in another timezone, you might use both (for the same reasons), and use the timeline as a way of integrating them into one.
Hi All,
Thanks everyone for your suggestions.
I would like to ask if anyone knows a free software to perform a very effective TIMELINE ANALISYS.
Log2timeline/plaso is probably your best free option.
Jamie
Hi All.
I still have debuts in the conversion from the UTC time zone to the local time zone.
I state that I am using Autopsy.
I identified the local location which is Chicago Time Zone UTC -6 or UTC -5 in Daylight Saving Time.
But there is evidence that also involves another UTC time zone -8 or -7 in the case of Dayligt Saving Time.
In the import file in Autopsy I set UTC time zone but I noticed that there is a difference of an hour.
I thought that maybe the problem could be in the file that I imported (.E01) which is perhaps set with GMT and that could create the extra daylight saving time problem.
For example, I have an e-mail in Daylight Saving Time
Data received on 31/5/2002 at 011111
Data sent on 31/5/2002 at 011110
Internet heater details
30/5/2002 171111 -07 00
In this case the email was sent from another UTC time zone -7. The calculation to obtain the local time zone of Chicago should be
31/5/2002 011111 - 5 = 30/5/2002 181111 -5
which is different from 30/5/2002 171111 -07 00 already in the internet header details.
What's the problem?