This week the timelines project has taken a shift from the popular Log2Timeline framework to look into other options for timeline creation across other forensic tools. With a focus on EnCase for this stage of the project, the timeline features of EnCase 6.19 and EnCase 7 will be under evaluation for comparison. In addition to the bundled EnCase timeline creation features we will also be evaluating an EnScript known for it’s timeline creation ability, Geoff Black’s Timeline Report v1.8.1.
After downloading it from http://geoffblack.com/forensics/, we copied the EnScript to our EnScript folder located: C:\Program Files\EnCase6\EnScript, and opened a case to test the features offered by this tool. Before running the EnScript across a partition of FIRE.E01, also used in the Log2Timeline section, we ran file mounter across the Windows, Mac, and Linux partitions to ensure all of the entries would be correctly identified by the tool. Once the file mounter completed, the Timeline Report EnScript was run against the partitions for a specific date with known user activity on the partition. The dates chosen for examination include internet history and one other application usage, such as installation or accessing/modifying files, that demonstrate user activity.
The EnScript has some interesting options, including the ability to create reports for Firefox and Internet Explorer, in addition to the CSV formatted output, as well as custom select fields and date and time frames for analysis. The reports are generated in CSV format, though they can be exported as HTML documents for Firefox and/or Internet Explorer. Overall, this EnScript is easy to run and produces an easy to read report in HTML or CSV format allowing fast and precise timeline analysis.
-Chapin Bryce