DST – Challenges for System Event Logging and Cyber-Security Investigations

Without getting into the “more daylight” reasoning for Daylight Saving Time (DST), it’s just one of the many challenges on computing systems to record timed events and a bigger problem for InfoSec professionals working on digital forensic investigations during DST change. DST in and of itself is a challenge when it comes to synchronizing clocks on computers systems along with the database transactions and logging of timed events. A common practice for recording information based on timed events is to record point-in-time values in Coordinated Universal Time (UCT)—more commonly known as Greenwich Mean Time (GMT). But if a system doesn't have centralized logging and is not configured to synchronize with a Network Time Protocol (NTP) server, it can be challenging to piece together events on disparate systems which is important for investigating a Cyber-Attack. The fact that there are already challenges with agreeing on a time-zone for record keeping in a global organization, DST just adds onto the complexity of system logging and recording database transactions in high-speed transaction-processing systems. There are also potentially negative effects on automated tasks such as backup jobs for disaster recovery.

To think that certain parts of the world have never used DST, it’s surprising that we still do it, especially considering the cost of troubleshooting systems that are error-prone during this clock reset and require manual re-calibration. So now that Tennessee has joined Arizona and Hawaii in abandoning DST, it may be time for the country, or better yet the world to follow suit. Not sure about the cost of all this manual effort to either synchronize time clocks or verify them but it isn't cheap and thus should justify any country’s government to end DST.

For information security forensics investigations, it’s difficult to trace events when they are recorded using different time zones or non-synchronized clocks. If the timeline for events cannot be confirmed, there is no easy way to connect the dots in a digital forensics investigation that may span multiple systems and cause less confidence in the data requiring more inference. During an investigation of a security concern is the worst time to find out that the system’s clock has not been synchronized or that the time-zone is not correct.

Read Andy's previous posts on IT security