This summer the LCDI is tackling timelines with an in depth analysis of what they are and how to use them effectively during an investigation; producing guides for law enforcement and our personal use. Timeline analysis helps filter content for examination, setting a scope and displaying files within the specified time frame for further analysis. A forensic timeline gives the investigator a sorted list of all the items within the acquired evidence. This allows chronological sorting of an entire hard drive if the investigator pleases to give a different view of the evidence. Timelines ignore file structure and look at the individual files and their location to each other respective to time.
Manually creating a timeline can be a tedious process and discourage investigators from utilizing them during an analysis. The amount of time it would take to sort each and every file on a device would be counterproductive, especially with gigabytes of data. To assist with timeline creation and timeline analysis, tools have been developed to automate this process.
This project will focus on creating timelines using the many different timeline automation tools along with creating how-to guides for each of the tools. One of the major tools thought of when timeline analysis is discussed is Kristinn Gudjonsson’s Log2Timeline. This tool is an open source forensic tool commonly found in linux Virtual appliances and distributions SIFT, TAPEWORM, and DEFT. These open source suites carry pre-installed and pre-configured forensic tools such as Log2Timeline, Regripper, and Bulk Extractor to make open source tools more available for use. SIFT contains both the Log2Timeline in its original form, and a custom built version for timeline creation. This SIFT version is extremely popular for using an open source alternative for timeline analysis. TAPEWORM contains a unique version of Log2Timeline, as it uses the original version also found in SIFT, though it automates the timeline creation process using a Graphical User Interface eliminating typos and speeding up the ability to create a timeline using Log2Timeline. These two implementations of Log2Timeline will be vetted in this project as they both have unique characteristics for using the tool. In addition to running it on the Linux platforms mentioned above, it will also be installed and run on a Windows 7 environment, as it is advertised as a cross platform tool.
Guidance Software also has timeline functionality within its flagship software, EnCase, used by many forensic analysts in everyday analysis. Two versions of EnCase are popular right now, 6.19, and the newly released EnCase 7. Both versions contain a timeline function within them providing a different view of the files on the drive. In addition to the included EnCase interface I will be using an EnScript, an EnCase script to automate functions of EnCase, written by Geoff Black, to generate a timeline report. This timeline EnScript is popular for EnCase users who utilize the timeline technique, yet prefer the EnCase platform. AccessData recently released a new version of its popular Forensic Tool Kit, version 4. This suite has a large range of functionality and has an included timeline feature. The project scope will focus on using and comparing the different timeline tools offered in the forensic community including EnCase versions 6.19 and 7, Geoff Black’s Timeline EnScript, and FTK v4.
-Chapin Bryce