This dataset is an ensemble of artifacts extracted from four Windows disk images, analyzed and discussed in the following paper (publication in progress): C. Vanini, C. J. Hargreaves, H. van Beek, F. Breitinger, ``Was the Clock Correct? Exploring Timestamp Interpretation Through Time Anchors for Digital Forensic Event Reconstruction". Forensic Science International: Digital Investigation, 2024.
This paper deals with timestamp interpretation and addresses the problem of incorrect clocks. When this system time is skewed due to tampering, natural clock drift, or system malfunctions, recorded timestamps will not reflect the actual times the (real-world) events occurred.
These disk images were created as part of two multi-part controlled experiments that illustrate the application of concepts defined in the paper. For this work, only the following artifacts were extracted and are included in this dataset: the Google Chrome History database, Google Chrome cache files, and several Windows Event Logs. These artifacts contain what we refer to as `time anchors' or `time anomalies' and can be used to assess the correctness of system clocks.
