Trustworthy time and the crucial role it plays in providing digital evidence
Editors Note: Nearly every day these days, some sort of new data assurance-related issue is featured in the news. We thought it might be a good time to blog on some of the more noteworthy aspects of news and trends. The first in this series is on the use of trusted time.
Time is used throughout the judicial; landscape to provide a chronology of events. In the digital world, these events are often captured in audit logs where each event is associated to a timestamp. When things go wrong and the audit log data will be needed in a court of law as evidence, it does beg the question of whether system time synchronization capabilities have been used or even better, whether trusted time stamping solutions are installed. At issue here, is whether it can be proven that the data has not been compromised or tampered-with in any way.
Organizations that have implemented Network Time Protocol (NTP) are better off than those only relying on the systems hardware clock which is usually set at the beginning of the hardware’s life or maybe during some critical hardware maintenance event. This would mean that any time data e.g. in audit logs would have their time data equivalent to that of the hardware engineer’s wristwatch. In well run IT environments this is not so common. Additionally, well run organizations would use a Log centralization tool that would include its own timestamp from when it received that audit event data. If this is done in real-time across a multitude of systems, the forensics and audit value is very high.
Going back to using these audit log records for digital evidence. If I were a cross examining lawyer that wanted to diminish the value of the time data, it would be fun finding out if the audit logs time source comes from some time synchronized system, or not. Obviously any time data associated with the hardware engineers watch as an endpoint would result in significantly lower evidential weight. Or if an NTP time server was used; then the question arises “How vulnerable is the NTP timeserver and what is the time source that sets its clock?”. Motivation may be a defense but that discussion is for another blog post. There have been many vulnerabilities posted associated with the use of NTP for example, Cisco Security Advisory: NTP Vulnerability and Ubuntu NTP vulnerability, many more are available through a simple web search.
Trustworthy time is a crucial attribute in the digital evidence world. If the time data within the audit logs of at least important systems does not carry sufficient evidential weight, then there could become happy defense lawyers and their clients celebrating their successes out there .
Author: Nadeem Bukhari
Tags: audit logs, Data Integrity, digital evidence, NTP, time, timestamp, vulnerability