This study addresses the reliability degradation of event timelines in digital forensics due to user-initiated timestamp tampering on live systems. Conducting a qualitative user study with advanced students, we employ trace analysis, timestamp dependency modeling, and second-order trace resolution path induction to systematically uncover the “cognitive–technical” coupling barriers inherent in timestamp manipulation—a first-of-its-kind investigation. We propose a reliability assessment framework grounded in trace knowledge depth and modification feasibility, identifying core determinants of tampering success—including temporal trace recognition capability and kernel- or filesystem-level constraints. The framework provides empirically validated criteria for time-based evidentiary trustworthiness grading, enabling more accurate and robust forensic timeline reconstruction. Results demonstrate significant improvements in both precision and resilience of event reassembly under adversarial timestamp modification scenarios.

Timestamps play a pivotal role in digital forensic event reconstruction, but due to their non-essential nature, tampering or manipulation of timestamps is possible by users in multiple ways, even on running systems. This has a significant effect on the reliability of the results from applying a timeline analysis as part of an investigation. In this paper, we investigate the problem of users tampering with timestamps on a running (``live'') system. While prior work has shown that digital evidence tampering is hard, we focus on the question of emph{why} this is so. By performing a qualitative user study with advanced university students, we observe, for example, a commonly applied multi-step approach in order to deal with second-order traces (traces of traces). We also derive factors that influence the reliability of successful tampering, such as the individual knowledge about temporal traces, and technical restrictions to change them. These insights help to assess the reliability of timestamps from individual artifacts that are relied on for event reconstruction and subsequently reduce the risk of incorrect event reconstruction during investigations.