Timeline
How to create timelines for your investigations?
Last updated
How to create timelines for your investigations?
Last updated
In the intricate world of digital investigations, time is often of the essence. Timelining has been one of the most critical and time-consuming parts of digital forensic investigations. Enter Timeline Analysis, a feature designed to revolutionize the way investigators navigate through evidence and collaborate seamlessly. In this page, we'll explore the key functionalities that make Timeline Analysis a game-changer for accelerating investigations.
The traditional way of creating timelines is collecting evidence, parsing them, and combining the results using CSV files. Time is a critical factor in investigations, and with the 'One-click' Timeline creation feature, investigators can initiate and collaborate on timelines with just a click. This not only expedites the process but also facilitates remote and multi-user collaboration within a single timeline.
AIR comes to the rescue to solve this problem. You can easily create timelines for multiple assets in parallel and see the results on a collaborative, web-based user interface in which you can tag/flag each piece of evidence.
Timelines can be created from a single asset and can be easily enriched using additional evidence such as:
Additional Assets
CSV Files
Milestones
Off-Network Acquisitions
All the flagged/tagged evidence is listed in the "Flagged" section that makes it easy to create reports before finalizing an investigation.
Flexibility is at the core of effective investigations. With Timeline Analysis, investigators can add more assets at any time to an existing timeline, creating what we like to call 'super-timelines.' This dynamic approach enables the consolidation of diverse assets into a comprehensive timeline for a holistic view of the investigation.
Existing and new Timelines can be created by selecting "More" from the Main Menu and then "Timelines".
To create a new Timeline, select the "+Add New" button at the top of the page:
The New "Timeline" then gives you the option to 'Create with selected assets' or 'Create an empty timeline and add evidence later'
You can now search for and select the assets desired for the Timeline:
Having selected the assets to include in the Timeline you now have to define the task by:
Giving the Timeline a name.
Allocating it to a Case.
Selecting a Timezone
Providing a description (Optional)
Timeline Analysis goes a step further by allowing the import of offline asset acquisitions or CSV datasets into the same timeline. This ensures that investigators can amalgamate a wide range of data sources, enriching the investigative process.
AIR now presents you with three options for adding data to your new Timeline:
Add an asset
Add an off-network asset
Import a CSV file
While Timeline Analysis presents a user-friendly interface, it is supported by a powerful evidence acquisition mechanism behind the scenes. This mechanism selectively includes 'timestamped evidence,' ensuring a concise and relevant timeline. By default, this includes:
All evidence with a timestamp property
Browsing history
AMCache
SRUM data
Timeline Analysis introduces the concept of multiple flags for evidence items. Investigators can flag items to highlight their significance, and all flagged items are conveniently listed in the 'Flagged Evidence' section. This section can be filtered, providing a focused view of critical evidence.
Investigations are often marked by significant events, and Timeline Analysis acknowledges this by allowing investigators to manually insert 'milestones'. These milestones serve as markers for noteworthy occurrences during the investigation.
In conclusion, Timeline Analysis is not just a feature; it's a comprehensive solution for investigators seeking precision, flexibility, and collaboration in their digital investigations. With 'One-click' Timeline creation, the ability to build 'super-timelines,' integration of diverse data sources, manual milestones, streamlined reporting, and precise flagging, investigators can confidently navigate the complexities of digital evidence.
