One of the most important parts of digital forensics is working out when things happened. When did a file get last accessed or modified? When did a user access this website? What was happened yesterday at 4.30PM? This would be very easy if the entire world was based in UTC, or at least all operating systems and log files stored time in UTC in the same format. Instead, we have various mixtures of UTC and local time, stored in Windows time format (100 nanosecond intervals since Jan 1st 1601) or Unix epoch format (seconds since Jan 1st 1970), a plain string format or however each programming language decides to encode time. This is especially important when doing forensics for global companies where the investigation can be carried out on several computers spanning different timezones, and the investigator is in a different timezone too. Establishing a common timezone is imperative, so not to get lost with local times and correlating evidence. Even on the same machine this is difficult - the Windows registry is in UTC, but setupapi.log and other important log file are in localtime.

Read full article