What’s a Timeline

Timeline analysis is a great technique to determine the activity that occurred on a system at a certain point in time. The technique has been valuable for me on examinations ranging from human resource policy violations to financial investigations to malware infections. Here is an analogy I came up with to explain what timelines are.

Not Even Close To a Timeline

The picture below shows how data looks on a hard drive using the operating system. It does a decent job if you are using the computer but the method doesn’t work for a forensic examination. There’s a lot of missing data such as: file system artifacts, hidden files/folders, and the metadata stored in files/folders.

In technical books cabinets are used to explain how hard drives function since they store items similar to how a drives store data. Using the operating system to view data on a hard drive is the equivalent to looking at the cabinet as pictured below. You are unable to see what lies beneath.

Getting Closer To a Timeline

The picture below shows how data on a hard drive looks using a digital forensic tool. The tool does a better job than the operating system since it displays a lot more data. File system artifacts, hidden files/folders, and file system metadata can now be examined. However, the tool does not readily show some data such as the metadata stored inside of files. The picture highlights the need for additional steps to extract the data inside prefetch files.

The cabinet’s contents can now be seen since the doors are opened. There are containers, pots, and pans. However, additional steps need to be taken to determine what is inside those items. Just like more steps are required in Encase to see prefetch files’ metadata.

This is What I’m Talking About

The picture below shows how data looks on a hard drive using a timeline. It might not look as pretty as a Graphical User Interface but it provides so much more data. The timeline section shown contains: both timestamps from the Master File Table (MFT), data stored in prefetch files, events from an event log, and registry keys.

The opened cabinet doors allowed the pots, pans, and containers’ contents to be examined. To the untrained eye it might look like chaos but to the knowledgeable observer they can now see what was stored in the cabinet including the now visible measuring cups. It's kind of like how a timeline makes visible activity on a system that may not have been readily apparent.