Abstract
As the applications and adoption of networked electronic devices grow, their use in conjunction with crimes also increases. Extracting probative evidence from these devices requires experienced digital forensic practitioners to use specialized tools that help interpret the raw binary data present in digital media. After the evidentiary artifacts are collected, an important goal of the practitioner is to assemble a narrative that describes when the events of interest occurred based on the timestamps of the artifacts. Unfortunately, generating and evaluating super timelines is a manual and labor-intensive process. This paper describes a technique that aids the practitioner in this process by generating queries that extract and connect the temporal artifacts, and produce concise timelines. Application of the queries to a simulated incident demonstrates their ability to reduce the number of artifacts from hundreds of thousands artifacts to a few hundred or less, and to facilitate the understanding of the activities surrounding the incident.
Chapter PDF
Similar content being viewed by others
References
B. Carrier, The Sleuth Kit ( www.sleuthkit.org ).
H. Carvey, RegRipper ( regripper.wordpress.com ).
J. Foster and V. Liu, Timestomp ( www.forensicswiki.org/wiki/Timestomp ).
K. Guojonsson, Mastering the Super Timeline with log2timeline, SANS Gold Paper, SANS Institute, Bethesda, Maryland, 2010.
K. Jones, Pasco v.1.0, McAfee, Santa Clara, California ( www.mcafee.com/us/downloads/free-tools/pasco.aspx ), 2012.
Mandiant, Web Historian, Alexandria, Virginia ( www.mandiant.com/resources/download/web-historian ).
J. Olsson and M. Boldt, Computer forensic timeline visualization tool, Digital Investigation, vol. 6(S), pp. S78–S87, 2009.
SIMILE Project, The JFK assassination timeline with Dutch timeline labels, Massachusetts Institute of Technology, Cambridge, Massachusetts ( www.simile-widgets.org/timeline/examples/jfk_i18n/jfk.html ), 2009.
TZWorks, Yet Another Registry Utility (yaru), Herndon, Virginia ( www.tzworks.net/download_links.php ).
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2013 IFIP International Federation for Information Processing
About this paper
Cite this paper
Esposito, S., Peterson, G. (2013). Creating Super Timelines in Windows Investigations. In: Peterson, G., Shenoi, S. (eds) Advances in Digital Forensics IX. DigitalForensics 2013. IFIP Advances in Information and Communication Technology, vol 410. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-41148-9_9
Download citation
DOI: https://doi.org/10.1007/978-3-642-41148-9_9
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-41147-2
Online ISBN: 978-3-642-41148-9
eBook Packages: Computer ScienceComputer Science (R0)