Network　forensics　investigations　aims　to　find　a　chain　of　evidences　that　helps　reconstructing　the　alleged　attack　scenario.　This　often　requires　the　check　of　timestamps　of　the　logs　to　reconstruct　the　event.　Yet,　it　is　relatively　easy　for　criminals　to　tamper　with　the　event　logs,　which　results　in　the　evidence　graph　with　falsified　timestamps　and　hence　hinders　the　event　reconstruction.　The　aim　of　this　work　paper　is　to　propose　an　algorithm　detects　these　falsified　timestamps　and　re-creates　the　true　evidence　graph.　Our　algorithm　relies　on　attack　graphs　of　the　system　environment　which　models　known　vulnerability　sequences　that　were　exploited　to　launch　the　attack.　We　demonstrate　the　effectiveness　and　performance　of　our　algorithm　via　a　possible　attack　scenario　in　a　network　environment　running　a　file　server　and　a　database　server.