Creative Commons License

Creative Commons License
This work is licensed under a Creative Commons Attribution-Noncommercial-No Derivative Works 4.0 License.

Date of Award

Spring 2010

Document Type


Degree Name

Master of Science (MS)


Department of Computer Science


Brett Tjaden

Florian Buchholz

Steve Wang


The tools and techniques of digital forensics are useful in investigating system failures, gathering evidence of illegal activities, and analyzing computer systems after cyber attacks. Constructing an accurate timeline of digital events is essential to forensic analysis, and developing a correlation between a computer’s system time and a standard time such as Coordinated Universal Time (UTC) is key to building such a timeline. In addition to local temporal data, such as file MAC (Modified, Accessed, and Changed/Created) times and event logs, a computer may hold timestamps from other machines, such as email headers, HTTP cookies, and downloaded files. To fully understand the sequence of events on a single computer, investigators need dependable tools for building clock models of all other computers that have contributed to its timestamps. Building clock models involves measuring the system times on remote hosts and correlating them to the time on the local machine. Sending ICMP or IP timestamp requests and analyzing the responses is one way to take this measurement. The Linux program clockdiff utilizes this method, but it is slow and sometimes inaccurate. Using a series of 50 packets, clockdiff consumes an average of 11 seconds in measuring one target. Also, clockdiff assumes that the time difference between the local and target hosts is never greater than 12 hours. When it receives a timestamp showing a greater difference, it manipulates this value without alerting the user, reporting a result that could make the target appear to be more tightly synchronized with the local host than it actually is. Thus, clockdiff is not the best choice for forensic investigators. As a better alternative, we have designed and implemented a program called clockvar, which also uses ICMP and IP timestamp messages. We show by experiment that clockvar maintains precision when system times on the local and target hosts differ by twelve to twenty-four hours, and we demonstrate that clockvar is capable of making measurements up to 1400 times faster than clockdiff.