We recently received an email requesting that we elaborate on one of our past blogs about Internet Explorer with Windows 8. The problem was that events in Internet Explorer history were time stamped as happening an hour before the event is known to have occurred. We were asked why that happened. We suspected that daylight savings time (DST) would have something to do with this.
Our Experiment:
To test this we created two virtual machines, one in winter (EST) and one in summer (DST). We then generated internet history on these VMs and imaged the virtual hard drives using FTK Imager. After imaging, we ran the images through Internet Evidence Finder 6, and loaded them in Encase 7 to verify the results of IEF.
The Results:
The winter one displayed the correct time, but when looking at the summer VM we initially thought that we were having the same issue with the time being one hour behind. Then, we looked into what the current UTC time is and noticed that it’s only 4 hours ahead of us at EST. We then found a document from the National Oceanic and Atmospheric Administration that confirmed that UTC is not affected by DST.1 This image is a screenshot of part of the IEF analysis performed on one of the VMs, it shows its transition from EST to DST. Circled in orange is an entry from winter, as you can see UTC is 5 hours ahead of the local time (EST). Cirlced in red is an entry from DST, as you can see UTC is 4 hours ahead of the local time(EST).
Conclusion:
We have come to the conclusion that the timestamps may be accurate. Since IEF does not always show the local time of an event, and instead shows the UTC time of the event. Depending on the date, Eastern Standard Time is either UTC -5 or UTC -4. This is because UTC is not affected by daylight savings time, so during winter EST is UTC -5, but during DST, EST moves ahead by one hour making it UTC -4.