Timeline Analysis – A One Page Guide

The scope of the request determines the data to be collected, such as within a specific timeframe, and data of relevance such as specific documents, pictures or video. Can be from multiple computers, other digital data holdings, or other information sources.

Collect the relevant source files;

1. Event Logs
* Vista – windows\system32\winevt\logs\*.evtx
* XP – windows\system32\config\*.evt
Encase; run the event log parser script to export to csv
Event Log Explorer: allows you to view, merge, and export event logs with associated data descriptions

2. MFT/FAT Filetime Data (MACe)
* data for relevent files; inc. Modified, last Access, Created, MFT Entry modified
Encase: select items of interest and export data to csv or FTK Imager, FTK, X-Ways, ProDiscover, TSK, etc

3. Registry Files * C:\windows\system32\config\sam, system, software,
* C:\~username~\ntuser.dat security
– use Access Data Registry Viewer or RegRipper predefined reports to extract keys of interest, such as TypedURL, User account creation dates, etc.
– Manually enter data into a spreadsheet

4. Internet History
* index.dat files such as; ~username~\AppData\local\Microsoft\Windows\History\History.IE5\index.dat
* also Registry TypedURLs (date is for Key not URL)
Encase: Run the Search for Internet records and export
Mandiant Web Historian
MiTeC Windows File Analyzer / Pasco

5. Email Files
* eg Outlook dbx/pst files; EML Windows Mail files
Encase: Run the Search for Email records and export
ABC Amber Outlook

6. Recycle Bin\Recycler
* located in; C:\$recycler, C:\$Recycle.Bin, etc
Encase; sort by File Deleted date column and also export entries in Recycle folders (can be done at same time as Filetime Data (MACe))
MiTeC Windows File Analyzer: browse to folder with extracted INFO2 file and export report

7. thumbs.db
* thumbs.db files in folders with pictures
Encase: thumbs parser / view file structure
MiTeC Windows File Analyzer

8. Archive Files
* zip, rar, tar, etc files
Encase: view file structure
Izarc; File, Print File List to Text File

9. Link Files
*.lnk files
Encase script to parse link file data
MiTeC Windows File Analyzer

10. Prefetch
* located in; C:\Windows\Prefetch\
MiTEC Windows File Analyzer: exe, time, number

11. Logs
* look for log files from software, such as MSN Logs, AV scanners, CCleaner, Eraser, etc
* use Prefetch / Registry info to determine what software has been used and where log files may be

12. Restore Points
* located in; C:\ System Volume Information\
* also includes previous Registry Files in the RP folders

13. Documents/Spreadsheets/PDF metadata
* extract documents and metadata from documentsv * there may be information contained within the documents that will have to be manually entered into a spreadsheet, such as resume, financial transactions, etc

14. Chat Logs
* Internet Chat Logs MSN, Yahoo, etc

15. JPG Exif
*.jpg files which hold EXIF data
BR’s EXIFextracter – extract EXIF data into a csv
* ALSO Information from photos, such as suspect photographed on holiday with date/time information (manually enter)

16. Phones
* Data extracted from mobile phones, such as; calls made and received, SMS, Photos, Video, etc
* use .XRY or Cellebrite to export to csv

17. Internet / Network Capture Files
* information from internet sources, such as dates of web site page creation or modification, wincap files

18. CCTV
* footage from CCTV showing activity of note

19. Financial Information
* information gleaned from spreadsheets or PDF files such as bank statements, or other external sources

20. Other Sources of information
* add any other source you have data for

Collate

For each source of data;

* Export / convert data to csv format
* Open csv in OpenOffice Spreadsheet / MS Excel
* Add columns for itemnumber, principaldate, realtime, source, comment
* Check time columns for accuracy and whether data is in UTC, Windows Filetime, Unix, or localtime
* if necessary use the realtime column to convert time columns to the correct localtime. This may entail calculating timezone offset for UTC, determining whether daylight savings (DST) was in effect, and how the OS is calculating dates/times around DST change
* sort by date columns, and highlight dates of interest
* you may need to do multiple sort and highlight processes for spreadsheets with multiple date columns (such as Filetime Data MACe spreadsheets)
* Copy highlighted dates to the principaldate column
* add data to the source column, such as AppEventLog
* add any comments to the comments column
* copy highlighted rows to a master timeline spreadsheet
* change font colour to color-code different source data
Do this for each source of data, adding selected data rows to a single master timeline spreadsheet

Analyse

* Sort by the principaldate column
* take some time to THINK about what is occuring
* add comments where relevant
* refine the data to what is relevant and remove rows which do not contribute information to the process
* copy the important information to a final spreadsheet

Disseminate

* refine the presentation spreadsheet to enable ease of reading and decide how best to present your findings; i2, spreadsheet, written report, etc