±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 0 Overall: 36317
New Yesterday: 0 Visitors: 119

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Videos

±Latest Jobs

X-Ways 16.9 Timeline Support

Forensic software discussion (commercial and open source/freeware). Strictly no advertising.
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Page 1, 2  Next 
  

TuckerHST
Senior Member
 

X-Ways 16.9 Timeline Support

Post Posted: Feb 07, 13 03:40

The new Event List feature of X-Ways 16.9 (released today) makes timeline analysis much easier.

It's unfortunate that file system timestamps in the Event List bear a precision of whole seconds, as it's sometimes helpful to identify files possibly originating on FAT vs NTFS/HFS+. I left a message to this effect in the X-Ways forum.

Nevertheless, I like the direction X-Ways is heading.
_________________
Scott Tucker
Aptegra Consulting, LLC
www.aptegra.com 
 
  

Adam10541
Senior Member
 

Re: X-Ways 16.9 Timeline Support

Post Posted: Feb 07, 13 06:51

I haven't had a play with this yet but I remember asking for a timeline quite a few years back and being told it was a very low priority.....Stefan wasn't kidding!

Am I wrong in assuming you can select certain files, then produce a timeline graphic or report for those files?  
 
  

TuckerHST
Senior Member
 

Re: X-Ways 16.9 Timeline Support

Post Posted: Feb 07, 13 07:43

Adam, in Refine Volume Snapshot, in the options associated with "Extract internal metadata, browser history and events" are two checkboxes, as follows:

[ ] Provide file system level timestamps as events
[ ] Provide internal timestamps as events

Obviously, you would have to check those. Then, when Refine Volume Snapshot is finished, you can view the Events table by clicking the clock icon. This was a little confusing to me at first. The clock icon is just above the preview pane, to the right of the binoculars icon that toggles the view between a directory listing and search hits. Events works in a similar way and when selected, displays the events gathered during Refine Volume Snapshot. Once the Events list is displayed, you can sort, filter, and export.

The feature is a little buggy (e.g., the first few column headings in the exported text file are incorrect). It's also limited in terms of what events get identified, the details associated with them (e.g., the "Visited" event simply refers to Index.dat with no further details as to which URL was visted), the control over filtering (i.e., can't filter on Event Type and Category), and, as regards file system metadata, lacking precision beyond whole seconds. Nevertheless, it's a good start.

I've only been exploring it for a couple of hours, so it's possible I've missed a few things. YMMV.
_________________
Scott Tucker
Aptegra Consulting, LLC
www.aptegra.com 
 
  

EricZimmerman
Senior Member
 

Re: X-Ways 16.9 Timeline Support

Post Posted: Feb 07, 13 20:44

Remember the new events thing is more metadata driven, else we could just use the previously existing calendar mode.

It is a new approach from the traditional timeline related stuff with MAC dates from the file system in that all the internal dates and times are extracted and used in addition to the classic timeline stuff.

which column headers did you notice were incorrect on export?

i was able to see precision lower than 1 second if Options | General | Notation | Seconds was checked. by default its 3 decimals after the second and thats the highest it can be.

i am sure we will see constant improvement in Service releases as people start using 16.9 full time.  
 
  

TuckerHST
Senior Member
 

Re: X-Ways 16.9 Timeline Support

Post Posted: Feb 08, 13 00:56

Eric, thanks for the tip about millisecond precision. I'll try that out. As for the column heading bug, I'll document an example and post it. The Events feature is obviously preliminary (it barely scratches the surface), but I really like the approach.
_________________
Scott Tucker
Aptegra Consulting, LLC
www.aptegra.com 
 
  

EricZimmerman
Senior Member
 

Re: X-Ways 16.9 Timeline Support

Post Posted: Feb 08, 13 00:57

i was able to replicate the bug. i believe stefan already has it fixed. id expect an SR in the next day or so =)

each SR will most likely add more artifacts to the timeline as well.

good stuff!  
 
  

TuckerHST
Senior Member
 

Re: X-Ways 16.9 Timeline Support

Post Posted: Feb 08, 13 01:09

What would be really helpful would be thorough documentation of what events are gathered into the Events table. For example, the internal metadata in Office files (e.g., Last Printed) seems like low-hanging fruit. However, in my test, I didn't see any Last Printed events. Accordingly, I don't know whether the feature is buggy or X-Ways isn't attempting to gather that data yet.
_________________
Scott Tucker
Aptegra Consulting, LLC
www.aptegra.com 
 

Page 1 of 2
Page 1, 2  Next