Operating systems and applications store date and time information in various ways utilizing different timestamp formats. Therefore, one of the first steps in a digital forensic examination is to identify the current time zone settings for the system(s) under investigation. Establishing the correct time zone is essential prior to extracting and analyzing the evidence. Failing to identify the actual time zone may lead to serious trouble in the analysis which may affect the validity and accuracy of the examination results.
Identifying the correct time zone of the suspect device is necessary in a forensic examination. Records and timestamps encountered on the suspect device(s) will be based on the suspect’s system time zone information. To safeguard the validity and accuracy of the evidence and avoid misinterpretation of the evidence; this information must be established at an early stage of the investigation and taken into account during examination and reporting. In some cases, an examiner might have to investigate records from multiple time zones or devices. Thus, determining the time zone is useful when correlating different activities within a particular device or across different devices.
Timezone information is stored within the SYSTEM hive at: SYSTEM\CurrentControlSet\Control\TimeZoneInformation
This section discusses how to use ArtiFast Windows to analyze Timezone Information artifact from Windows
what kind of digital forensics insight we can gain from the artifact.
After you have created your case and added evidence for the investigation, at the Artifacts Selection phase, you can select Timezone Information artifact:
Once ArtiFast parser plugins complete processing artifacts for analysis, it can be reviewed via “Artifact View” or “Timeline View”, with indexing, filtering, and searching capabilities. Below is a detailed description of Timezone Information artifact in ArtiFast Windows.
Timezone Information Artifact
For more information or suggestions please contact: email@example.com