Blog >> Timezone Information

Investigating Timezone Information

06/05/2022 Friday

Operating systems and applications store date and time information in various ways utilizing different timestamp formats. Therefore, one of the first steps in a digital forensic examination is to identify the current time zone settings for the system(s) under investigation. Establishing the correct time zone is essential prior to extracting and analyzing the evidence. Failing to identify the actual time zone may lead to serious trouble in the analysis which may affect the validity and accuracy of the examination results.

Digital Forensics Value of Timezone Information Artifact

Identifying the correct time zone of the suspect device is necessary in a forensic examination. Records and timestamps encountered on the suspect device(s) will be based on the suspect’s system time zone information. To safeguard the validity and accuracy of the evidence and avoid misinterpretation of the evidence; this information must be established at an early stage of the investigation and taken into account during examination and reporting. In some cases, an examiner might have to investigate records from multiple time zones or devices. Thus, determining the time zone is useful when correlating different activities within a particular device or across different devices.

Location of Timezone Information Artifact

Timezone information is stored within the SYSTEM hive at: SYSTEM\CurrentControlSet\Control\TimeZoneInformation

Analyzing Timezone Information Artifact with ArtiFast Windows

This section discusses how to use ArtiFast Windows to analyze Timezone Information artifact from Windows machines and what kind of digital forensics insight we can gain from the artifact.

After you have created your case and added evidence for the investigation, at the Artifacts Selection phase, you can select Timezone Information artifact:

Once ArtiFast parser plugins complete processing artifacts for analysis, it can be reviewed via “Artifact View” or “Timeline View”, with indexing, filtering, and searching capabilities. Below is a detailed description of Timezone Information artifact in ArtiFast Windows.

Timezone Information Artifact

• Active Time Bias - Active time bias in hours.
• Bias - Bias in hours.
• Daylight Bias - Daylight bias in hours.
• Time Zone Name - Time zone key name.
• Last Update - Last Update date/time.

For more information or suggestions please contact: asmaa.elkhatib@forensafe.com