online_date_forensics_guide

<< back

Contents


Introduction



Collection of possibilities



Web-Site

A simple website, that claims that it was created 1834 will probably not hold as evidence.. This is because dates can easyly be forged on computers, especially if it's your own computer and/or only one single computer.

Completelys different is this, if there exist older backups of that website (e.g. on http://www.archive.org/index.php).

(Please insert links to news that describe cases where the WayBackMachine was used as evidence here.)


CVS archive

Well maintained CVS-archives as e.g. on sourceforge are considered to be valid for evidence!


EMail

SMTP-based email contains "Received" headers that record its path through Internet from sender to receiver. These "Received" headers contain timestamps and often contain the name of the machine that forwarded the email, for example, from these two "Received" headers taken from a message sent to the priorart-discuss mailing list:

Received: from smtp.osdl.org (smtp.osdl.org [65.172.181.4])
by e1.ny.us.ibm.com (8.12.11.20060308/8.12.11) with ESMTP id k5GElDi4005537
(version=TLSv1/SSLv3 cipher=EDH-RSA-DES-CBC3-SHA bits=168 verify=FAIL);
Fri, 16 Jun 2006 10:47:15 -0400

Received: from fire-2.osdl.org (localhost [127.0.0.1])
by smtp.osdl.org (8.12.8/8.12.8) with ESMTP id k5GEkcgu006185;
Fri, 16 Jun 2006 07:46:44 -0700

The second header tells us that the OSDL mail server named "fire-2.osdl.org" received the message from another OSDL server named "smtp.osdl.org" on June 16, 2006 at 10:46:44AM EDT. Since "Received" headers normally appear in reverse time order, the first header tells us that IBM mail server named "e1.ny.us.ibm.com" subsequently received the message from "smtp.osdl.org" on June 16, 2006 at 7:47:15AM PDT (which translates to 10:47:15AM EDT).

Note that the two timestamps are within a minute of each other, and are controlled by different organizations. Anyone arguing that these timestamps are significantly incorrect would likely find themselves in the position of:

  1. arguing that the message had been tampered with, or
  2. explaining how two different machines in two different organizations had their clocks wrong by the same amount.

The first line of attack on the timestamp is the same that one might make against a timestamp on a paper publication, and the second would likely require the attacker to put forward an improbable conspiracy theory.

Please note that the existence of these "Received" headers does not necessarily render the more modern hash-based timestamps unnecessary. Having multiple lines of defense is healthy, so a strategy using both "Received" headers and hashing might be helpful -- especially in cases where the email in question remained within the confines of a single organization.

So this email date forensics is likely to be quite effective for old email posted to mailing lists, but for new email, why not also make use of hashing?


Why timestamps if EMail is already secure?

Hash-Values become exactly then helpful, when you only have a reference
to some program in that email, but the email alone is not valid prior
art for itself.

So if you can show with those "Received" Headers, that some Release was
announced for public download on that date, then a timestamp can proove
the content of that announced release/file and thus it can be used as
prior art. Kechel 13:28, 2 October 2006 (PDT)


FTP-Mirrors

I don't know, does mirror software copy also the date of the mirrored files or does it create it's own date in the filesystem on when it mirrored the data?

PEM: this depends on how the archive was created. The "tar" program preserves timestamps, but not all commands do.


Backup Media

Magnetic-tape or CD/DVD-based backups can provide timestamps.


.. to be continued ..

Please create new sections for other ideas!

<< back

Groups: