IR and forensic talk

As my previous post discussed, the new version of log2timeline includes the option to output the timeline in a XML document that can be read by timeline visualization tools such as SIMILE timeline widget.

Timeline analysis can be very time consuming, especially since we are often dealing with tremendous amount of data in a traditional timeline.  This is a problem that tools like log2timeline, which extract timeline information from artifacts, only add to, by increasing the amount of information an investigator has to review.  Yet adding artifact information into the timeline can provide a great wealth of information, shortening the time an analyst needs to “solve” a case (given that the investigator manages to find the needle in the haystack).

Traditionally timeline analysis has been a manual process, where an investigator needs to sift through the information in an Excel sheet or a text file (a la mactime output) but the notion of visually representing the timeline has always been a very pleasant one, something that would possibly make the analysis easier.

One solution to the visualization is to use tools like SIMILE to represent the data.  An example of such a timeline can be found here.  This timeline represents the timeline that I discussed in previous posts on the SANS Forensic blog site (here and here).

Although very promising this timeline creates some problems, for one it requires some manual work for the investigator to get it to work, that is to create a HTML file with the correct parameters to load the XML file as well as to have access to a web server to place the timeline in.   Another problem, which is quite significant is that this method does not assist the investigator in reducing the data set, there is no real way to remove unneeded events (just some simple filters) as well as no method to easily zoom in and out in the timeline.

But still, this is one step towards better visualization of timeline analysis, something that can be further developed…