It has been busy at the LCDI, and we have been focusing on the timeline feature in EnCase and Forensic Tool Kit. Since we have looked into Log2Timeline already, it is hard to compare these other tools that are not as focused on timeline creation as the task specific open source tool is. With that said, here are our findings on timeline capabilities of EnCase and Forensic Tool Kit.
EnCase 6.19 has a timeline tab within the main interface. Clicking on the timeline tab will display a horizontally scrolling grid calendar. Using the zoom in and out, the focus of this grid can be focused on a specific date or time. EnCase 6.19 also allows for a specific date to be specified so that the user does not have to search for the range via scrolling. The timeline will display the MAC times, color coded, on the grid for the files on the drive. It is good practice to expand compact files to make sure that the time data from the files inside compound files are fully explored. Once everything is expanded then it can be easily explored. EnCase 6.19 does not have a clear way to export this timeline view though, for this reason the timeline should be used within EnCase 6.19 as a method to discover relevant user generated data, not as a reporting tool. EnCase 7 has a similar timeline feature as EnCase 6.19 and offers similar functionality, with a updated interface. Still, we have been yet to find a built in reporting feature within EnCase 7. In comparison with Log2Timeline, the EnCase Timeline feature is not meant for preprocessing as the Log2Timeline tool excels at.
EnCase does support EnScripts that do an excellent job with reporting, read our previous post all about the timeline EnScript (http://computerforensics.champlain.edu/blog/enscripted-timelines). Forensic Tool Kit is on the burner for next week so stay tuned as we explore more about AccessData’s flagship software!
-Chapin Bryce