Forensic timelines

Although retrieving data is the core aim of a forensic investigation, and existing tools have more power than the average investigator is likely to use, they are still lacking in some areas. As a simple example, if we wished to try and trace the actions on a PC during a certain time period, the majority of the tools that currently exist are simply not geared up to give this level of detail.

The main issue is that the concept of a 'date' exists in multiple places within a single PC:

• File creation / modification / last access
• Visit to a website
• The last time a particular registry key was accessed
• When a particular USB stick was last used on the PC
• When a photograph was taken

In the case of the last of these, a fundamental point is that at that time the photograph was not even on the PC. To view this information requires more than access to the file system itself; it needs an application that can understand filetypes and 'look inside' the files.

In writing a system capable of looking inside the files, and in doing so mapping out the dates associated with any particular object, it should then be possible to create a 'forensic timeline' of the usage of that computer. This timeline will never be complete and, at times, may be inaccurate, but as long as these limitations are known and handled it will still be a useful tool in the investigator's arsenal.

Others have also realised this; Olsson and Boldt have documented the development process behind CyberForensics TimeLab in Digital Investigation. However, their software is still very much a prototype with a basic user interface and a lack of output options; these elements alone are ripe for improvement.