LogoLogo
Back to binalyze.com
  • Welcome | Binalyze Knowledge Base
  • AIR
    • AIR
    • Introduction
      • What is AIR?
      • Terminology
      • Architecture
        • AIR Responder Architecture; overview and performance analysis
        • AIR Task Flow and Management
      • Network Communication
      • Cloud Forensics with Binalyze AIR
    • AIR Setup
      • Console Hardware Requirements
      • Console Pre-Installation
      • Console Installation
      • Microsoft Azure Cloud Platform Integration
      • AIR Relay Server
        • What is AIR Relay Server?
        • Requirements for installation
        • How to install a Relay Server on different Linux platforms
        • How to change IP address of Relay Server
        • How to install a Responder with Relay Server support
        • Proxy configurations
          • Adding proxy to Relay Server
          • Adding proxy to Responder
        • Service Management for Relay Server
        • Whitelisting for Relay Server
        • Retrieving metrics from Relay Server
        • Updating and Uninstalling Relay Server
        • Troubleshooting
      • AIR Responder - Supported Operating Systems
        • AIR Responder - MS Windows supported systems
        • AIR Responder - Apple macOS supported systems
        • AIR Responder - Linux (DEB/RPM) supported systems
        • AIR - ESXi Standalone Collector
        • AIR Responder - Chrome supported systems
          • AIR For Chrome
      • AIR Responder Hardware Requirements
      • AIR Responder Deployment
        • Golden Image
        • Responder & Active Directory OUs
        • AIR Responder Exception Rules
          • Binalyze AIR Watchdog Folder
        • FDA via Jamf and Apple’s PPPC utility
        • AIR Responder in Windows 'Safe Mode'
      • Uninstalling AIR Responders
      • Security
        • AIR Console Access Control
        • AIR SSL Enforcement
          • SSL Certificate Management in Binalyze AIR
        • Two-factor authentication (2FA)
      • Post-Deployment Configuration Guide
        • Using AIR CLI on Binalyze AIR Console
      • AIR's User Settings
    • Updating AIR
      • Single-Tier Systems
      • 2-Tier Systems
      • AIR Console Updating - SaaS
    • Backup
      • Restore AIR Backup using the CLI
    • Features
      • Acquisition
        • Task Creation
          • Regex in AIR/DRONE:
          • Asset Management with Persistent Saved Filters
          • Task Cancellation and Deletion
        • Acquisition Profiles
        • Supported Evidence
          • Windows Collections
          • macOS Collections
          • Linux Collections
          • IBM AIX Collections
        • Scheduling Tasks
        • Disk and Volume Imaging
          • Imaging with interACT
        • Chain Of Custody in AIR
      • Auto Tagging
      • Triage
        • Triage Rule Templates
          • YARA Templates
          • Sigma Templates
          • osquery Templates
        • Schedule Triage Tasks
      • interACT
        • interACT Commands
        • PowerShell commands in interACT
      • Compare
      • Timeline
      • Integrations
        • SSO Integrations
          • Microsoft Azure SSO Integration
          • Okta SAML 2.0 SSO Integration
        • Webhooks
          • Mattermost Integration
          • Splunk Integration
          • IBM QRadar Integration
          • Wazuh Integration
          • Cortex XSOAR Integration
          • Elasticsearch Logstash Kibana Integration
          • ServiceNow Integration
          • Sumo Logic Integration
          • Crowdstrike Integration
          • Microsoft Sentinel Integration
          • Slack Integration
          • Carbon Black Cloud Integration
          • Rapid7 InsightIDR Integration
          • LogicHub SOAR (DEVO) Integration
          • Fortigate SIEM Integration
          • Dynatrace Integration
          • Stellar XDR Integration
          • SentinelOne Integration
          • Microsoft 365 Defender Integration
          • Cisco XDR Integration
      • Event Subscription
      • AIR API
        • API in AIR is likely to be more effective than Webhooks
      • DRONE
        • What is DRONE?
        • What is an Analysis Pipeline?
        • Analyzers
          • Cross Platform Analyzers
            • MITRE ATT&CK Analyzer
              • MITRE ATT&CK Analyzer changelog
            • Dynamo Analyzer
            • Browser History Analyzer
            • Generic WebShell Analyzer
          • Windows Analyzers
            • Windows Event Records and how AIR handles them
              • Windows Event Logs in AIR v4.21 and older versions
              • Event Records Summary vs. Event Records
            • Prefetch Analyzer
            • Shellbag Data Fields
          • Linux Analyzers
          • macOS Analyzers
            • Audit Event Analyzer
      • AIR Investigation Hub
        • Using the AIR Investigation Hub
        • Investigation Hub – Data Usage Statistics Dashboard
      • AIR File Explorer
        • File Explorer - FAQs
      • Tornado (Preview Version)
        • Tornado Installation Guide
          • Tornado Operating System Support
        • Updating Tornado
        • Tornado demo video
        • Getting Started with Tornado
          • Tornado Terminology
        • Tornado Collectors
          • Accessing Google Workspace
            • Service Account Creation
              • Enable Service Account Key Creation
          • Access Modes in O365
            • O365 license types
        • Tornado Troubleshooting & Feedback
        • Tornado FAQs
      • Frank.AI
      • Asset Isolation
      • Evidence Repositories
      • Policies
      • Tags
      • Off-Network Responder
        • Setting Up a Custom Case Directory
        • biunzip
          • biunzip password file
      • Binalyze AIR Responder Proxy Support
      • Proxy Configuration on Binalyze AIR Console
      • Binalyze AIR Audit Logs
    • Troubleshooting
      • Binalyze AIR Console CPU Profiling for Performance Issues
      • Understanding MSI Error Code 1618
      • How to gather Binalyze AIR logs for Troubleshooting
        • Collecting Binalyze AIR Console Log Files
        • Collecting Binalyze AIR Responder Log Files
        • Collecting Binalyze AIR Off-Network Responder Log Files
    • FAQs
      • Binalyze AIR Console Migration Procedure For Single-Tier Setup
      • Binalyze AIR Console Migration Procedure For 2-Tier Installation
      • Binalyze AIR Console Backup Procedure
      • Resolving the “Invalid Host Header. Host must be the Console Address” Error
      • How to download the collected evidence and artifacts in Binalyze AIR?
      • How to gather Binalyze AIR logs for Troubleshooting
        • Collecting Binalyze AIR Console Log Files
        • Collecting Binalyze AIR Responder Log Files
        • Collecting Binalyze AIR Off-Network Responder Log Files
      • AIR responder troubleshooting
      • Understanding Port Usage in Binalyze AIR
      • How many assets can connect to a single Console instance?
      • How do I enable SSL on AIR?
      • Can I use AIR with EDR/XDR Products?
      • Can I integrate AIR with my SOAR/SIEM?
      • What (sub)domains are used by AIR?
      • Docker & Host System IP Conflict
      • Monitoring Responder and UI API's
      • How do I update AIR Console?
      • How do I update AIR Responders on assets?
      • How to reset the password of a user via the AIR-CLI?
      • Is there a way to move an asset from one Organization or Case to another?
      • Creating exclusions/exception rules for Binalyze AIR Responder on EPP and EDR Solutions
      • Anything missing?
      • How can I install a version of AIR that isn't the latest?
  • General
    • Licenses - Open-source Software List
Powered by GitBook
On this page
  • One-Click Timeline Creation for Swift Collaboration
  • Building 'Super-Timelines' on the Fly
  • Seamless Integration of Offline Assets and CSV Datasets
  • Behind the Scenes: Trimmed-Down Evidence Acquisition
  • Precision Flagging for Enhanced Evidence Management
  • Enrich Timelines with Manually Inserted 'Milestones'

Was this helpful?

Export as PDF
  1. AIR
  2. Features

Timeline

How to create timelines for your investigations?

PreviousCompareNextIntegrations

Last updated 6 months ago

Was this helpful?

In the intricate world of digital investigations, time is often of the essence. Timelining has been one of the most critical and time-consuming parts of digital forensic investigations. Enter Timeline Analysis, a feature designed to revolutionize the way investigators navigate through evidence and collaborate seamlessly. In this page, we'll explore the key functionalities that make Timeline Analysis a game-changer for accelerating investigations.

One-Click Timeline Creation for Swift Collaboration

The traditional way of creating timelines is collecting evidence, parsing them, and combining the results using CSV files. Time is a critical factor in investigations, and with the 'One-click' Timeline creation feature, investigators can initiate and collaborate on timelines with just a click. This not only expedites the process but also facilitates remote and multi-user collaboration within a single timeline.

AIR comes to the rescue to solve this problem. You can easily create timelines for multiple assets in parallel and see the results on a collaborative, web-based user interface in which you can tag/flag each piece of evidence.

Timelines can be created from a single asset and can be easily enriched using additional evidence such as:

  • Additional Assets

  • CSV Files

  • Milestones

  • Off-Network Acquisitions

All the flagged/tagged evidence is listed in the "Flagged" section that makes it easy to create reports before finalizing an investigation.

Building 'Super-Timelines' on the Fly

Flexibility is at the core of effective investigations. With Timeline Analysis, investigators can add more assets at any time to an existing timeline, creating what we like to call 'super-timelines.' This dynamic approach enables the consolidation of diverse assets into a comprehensive timeline for a holistic view of the investigation.

Existing and new Timelines can be created by selecting "More" from the Main Menu and then "Timelines".

To create a new Timeline, select the "+Add New" button at the top of the page:

The New "Timeline" then gives you the option to 'Create with selected assets' or 'Create an empty timeline and add evidence later'

You can now search for and select the assets desired for the Timeline:

Having selected the assets to include in the Timeline you now have to define the task by:

  1. Giving the Timeline a name.

  2. Allocating it to a Case.

  3. Selecting a Timezone

  4. Providing a description (Optional)

Seamless Integration of Offline Assets and CSV Datasets

Timeline Analysis goes a step further by allowing the import of offline asset acquisitions or CSV datasets into the same timeline. This ensures that investigators can amalgamate a wide range of data sources, enriching the investigative process.

AIR now presents you with three options for adding data to your new Timeline:

  1. Add an asset

  2. Add an off-network asset

  3. Import a CSV file

Behind the Scenes: Trimmed-Down Evidence Acquisition

While Timeline Analysis presents a user-friendly interface, it is supported by a powerful evidence acquisition mechanism behind the scenes. This mechanism selectively includes 'timestamped evidence,' ensuring a concise and relevant timeline. By default, this includes:

  • All evidence with a timestamp property

  • Browsing history

  • AMCache

  • SRUM data

Precision Flagging for Enhanced Evidence Management

Timeline Analysis introduces the concept of multiple flags for evidence items. Investigators can flag items to highlight their significance, and all flagged items are conveniently listed in the 'Flagged Evidence' section. This section can be filtered, providing a focused view of critical evidence.

Enrich Timelines with Manually Inserted 'Milestones'

Investigations are often marked by significant events, and Timeline Analysis acknowledges this by allowing investigators to manually insert 'milestones'. These milestones serve as markers for noteworthy occurrences during the investigation.

In conclusion, Timeline Analysis is not just a feature; it's a comprehensive solution for investigators seeking precision, flexibility, and collaboration in their digital investigations. With 'One-click' Timeline creation, the ability to build 'super-timelines,' integration of diverse data sources, manual milestones, streamlined reporting, and precise flagging, investigators can confidently navigate the complexities of digital evidence.

Select '+Add New' to create a new Timeline - there are no existing Timelines in this example
The Timeline creation wizard
Define the Timeline Task
Select the data type to add to the Timeline