Timezone

The analysis of artifacts and their timestamps are extremely useful in piecing together what occurred on a computer system. Almost every forensic artifact has date and time information, such as the last modified date of a document, the date of a user login, or the duration that a certain connection was in place. These times may be stored in different formats, either as Coordinated Universal Time (UTC) or with reference to the set timezone of the machine.

Depending on the configuration of a computer and the various applications and cloud accounts, the accuracy of timezones depends on a number of factors. For example, we sometimes find that certain timezone settings are incorrect, set to UTC rather than NZT. These settings can either be changed manually by the user. Depending on the timezone and country, there may be further variances due to daylight saving time made to the timestamps of artifacts that need to be accounted for.

Incorrect time zones can lead to confusing or misleading evidential artifacts being presented. For example, we often see people interpret email logs as being recorded in the middle of the night, when in fact they were the middle of the day when the correct time when the calculation is conducted.