In a session about digital forensics, we happen to discuss about timestamps used in the case of digital forensic and it immediately captured my attention.
I had few questions & thought of write them down.
- How is time captured
- What is the official source of time ?
- Bharathiya Nagarik Suraksha Sanhita (BNSS) suggests the use of mobile phone to record the search and seizure procedure – Which NTP servers they are to be connected at the time of recording the videos ?
- BSA allows digital evidence
- evidence captured has wrong timestamp
Time in connected devices
Computers and mobile phones and most of the devices connected to the internet receives time from the local ISP or via time synchronization servers operated by companies is like Apple, Microsoft etc. The Network Time Servers (NTP) are not always reliable.

[ An example of issue with time servers ]
CERT-IN and related organizations are given directions to use certain specific NTP servers as described in the FAQs.
Is it required to synchronise clocks only with NTP Servers of NPL and NIC?
Is it now required to set system clocks in Indian Standard Time (IST) only?
Ans.: The requirement of synchronising time is stipulated to ensure that only standard
time facilities are used across all entities. Organisations may use accurate and standard
time source other than National Physical Laboratory (NPL) and National Informatics
Centre (NIC) as long as the accuracy of time is maintained by ensuring that the time
source used conforms to time provided by NTP Servers of NPL and NIC.
Wrong time
Incorrect time in digital devices like mobile phones or computers will result wrong time stamps in artifacts. They can be:
- Wrong file creation timestamps
- Wrong access or modification timestamp
- Metadata of photos/videos ends up with wrong timestamp
- Log files created may have wrong timestamps
Evidence or other data without correct time stamps can put time and thus related events in the past or future.
Creating a computing device in the past
Simple cases like clock skews or BIOS batteries not working are known and perhaps the Standard Operating procedures existing to account for such cases. External anchors can be used to detect clock skews and find correct timeline. However there can be interesting scenarios that can be investigated.
- Boot a device from an older version of Operating System
- Use a LiveCD or USB device
- Make sure there is no BIOS battery
- Change MAC Addresses of the device or arbitrary numbers before connecting to network
- Disable NTP
I am not being specific or being elaborate for specific reasons but I hope we are very serious about “time” !