Creating Super Timelines in Windows Investigations

Abstract

As the applications and adoption of networked electronic devices grow, their use in conjunction with crimes also increases. Extracting probative evidence from these devices requires experienced digital forensic practitioners to use specialized tools that help interpret the raw binary data present in digital media. After the evidentiary artifacts are collected, an important goal of the practitioner is to assemble a narrative that describes when the events of interest occurred based on the timestamps of the artifacts. Unfortunately, generating and evaluating super timelines is a manual and labor-intensive process. This paper describes a technique that aids the practitioner in this process by generating queries that extract and connect the temporal artifacts, and produce concise timelines. Application of the queries to a simulated incident demonstrates their ability to reduce the number of artifacts from hundreds of thousands artifacts to a few hundred or less, and to facilitate the understanding of the activities surrounding the incident. © IFIP International Federation for Information Processing 2013.