ForensicsWiki will continue to operate as it has before and will not be shutting down. Thank you for your continued support of ForensicsWiki.

Difference between revisions of "Timeline Analysis"

From ForensicsWiki
Jump to: navigation, search
m
(Timeline formats)
 
(27 intermediate revisions by 8 users not shown)
Line 1: Line 1:
; [[Zeitline]] Forensic timeline editor
+
== Timeline formats ==
 +
* [[body file]]
 +
* [[L2T CSV]]
 +
* [[mactime]]
 +
* [[TLN]]
 +
 
 +
==Bibliography==
 +
===Papers===
 +
* [http://forensicfocus.files.wordpress.com/2012/08/generating-computer-forensic-supertimelines-under-linux-a-comprehensive-guide-for-windows-based-disk-images1.pdf Generating computer forensic supertimelines under Linux - A comprehensive guide for Windows-based disk images], by R. Carbone, C. Bean, August 2012
 +
* J. Olsson, M. Boldt, [http://www.dfrws.org/2009/proceedings/p78-olsson.pdf "Computer forensic timeline visualization tool"], ScienceDirect Digital Investigation, Volume 6, September 2009
 +
* Jewan Bang, BY Yoo, JS Kim, SJ Lee, [http://forensic.korea.ac.kr/research/Conference/Analysis_of_Time_Information_for_Digital_Investigation.pdf "Analysis of Time Information for Digital Investigation"], NCM 2009, 5th International Joint Conference on INC, IMS, IDC, August 2009
 +
* S. Willassen, [http://www.igi-global.com/articles/details.asp?ID=33298 "A Model Based Approach to Timestamp Evidence Interpretation"], International Journal of Digital Crime and Forensics, 1:2, 2009
 +
* Olsson, Jens [http://www.bth.se/fou/cuppsats.nsf/bbb56322b274389dc1256608004f052b/2e5256fe7d0e57d5c12574bd0072d894!OpenDocument Digital Evidence with an Emphasis on Time],  Master's Thesis, Blekinge Institute of Technology, September 2008.
 +
* R. Koen, M. Olivier, [http://icsa.cs.up.ac.za/issa/2008/Proceedings/Full/43.pdf "The Use of File Timestamps in Digital Forensics"], ISSA 2008, Johannesburg, South Africa, July 2008
 +
* S. Willassen, [http://www.diva-portal.org/ntnu/abstract.xsql?dbid=2145 "Methods for Enhancement of Timestamp Evidence in Digital Investigations"], PhD Dissertation, Norwegian University of Science and Technology, 2008
 +
* S. Willassen, [http://www.willassen.no/svein/pub/ares08.pdf "Finding Evidence of Antedating in Digital Investigations"], ARES 2008, Barcelona, Spain, March 2008
 +
* S. Willassen, [http://www.willassen.no/svein/pub/ifip08.pdf "Hypothesis Based Investigation of Digital Timestamp"], 4th IFIP WG 11.9 Workskop on Digital Evidence, Kyoto, Japan, January 2008
 +
* S. Willassen, [http://www.willassen.no/svein/pub/efor08.pdf "Timestamp Evidence Correlation by model based clock hypothesis testing"], E-Forensics 2008, Adelaide, Australia, January 2008
 +
* F. Buchholz, [http://www.infosec.jmu.edu/reports/jmu-infosec-tr-2007-001.pdf "An Improved Clock Model for Translating Timestamps"], JMU-INFOSEC-TR-2007-001, James Madison University
 +
* F. Buchholz, B. Tjaden, [http://www.dfrws.org/2007/proceedings/p31-buchholz.pdf "A brief study of time"], Digital Investigation 2007:4S
 +
* K. Chow, F. Law, M. Kwan, P. Lai, [http://i.cs.hku.hk/~cisc/forensics/papers/RuleOfTime.pdf "The Rules of Time on NTFS File System"], 2nd International Workshop on Systematic Approaches to Digital Forensic Engineering, Seattle, Washington, April 2007
 +
* B. Schatz, G. Mohay, A. Clark, [http://www.dfrws.org/2006/proceedings/13-%20Schatz.pdf "A correlation method for establishing provenance of timestamps in digital evidence"], Digital Investigation 2006:3S
 +
* P. Gladyshev, A. Patel, [http://www.utica.edu/academic/institutes/ecii/publications/articles/B4A90270-B5A9-6380-68863F61C2F7603D.pdf "Formalizing Event Time Bouding in Digital Investigation"], International Journal of Digital Evidence, vol 4:2, 2005
 +
* C. Boyd, P. Forster, "Time and Date issues in forensic computing - a case study", Digital Investigation 2004:1
 +
* M.W. Stevens, "Unification of relative time frames for digital forensics", Digital Investigation 2004:1
 +
* [http://www.utica.edu/academic/institutes/ecii/publications/articles/A048B1E4-B921-1DA3-EB227EE7F61F2053.pdf "Dynamic Time & Date Stamp Analysis"], M .C. Weil, International Journal of Digital Evidence, vol 1:2, 2002
 +
 
 +
* [http://infoviz.pnl.gov/pdf/themeriver99.pdf ThemeRiver: In Search of Trends, Patterns, and Relationships], Susan Havre, Beth Hetzler, and Lucy Nowell, Battelle Pacific Northwest Division, Richland, Washington, 1999
 +
* [http://www.conceptsymbols.com/web/publications/2003_timelines.pdf Timeline Visualization of Research Fronts], Steven A. Morris2, G. Yen, Zheng Wu, Benyam Asnake , School of Electrical and Computer Engineering, Oklahoma State University, Stillwater, Oklahoma. 2003
 +
* [http://well-formed-data.net/archives/26/visualizing-gaps-in-time-based-lists Visualizing gaps in time-based lists], Moritz Stefaner, November 6, 2000
 +
 
 +
== Tools ==
 +
; [[Aftertime]] - Java based application for creating timelines
 +
: http://www.holmes.nl/NFIlabs/Aftertime/index.html
 +
 
 +
; [[log2timeline]] - An artifact timeline creation and analysis framework
 +
: http://log2timeline.net
 +
: https://blogs.sans.org/computer-forensics/2009/08/13/artifact-timeline-creation-and-analysis-tool-release-log2timeline/
 +
: https://blogs.sans.org/computer-forensics/2009/08/14/artifact-timeline-creation-and-analysis-part-2/
 +
 
 +
; [[Plaso]] - A toolbox based on log2timeline providing tools to create and analyze timelines
 +
: http://plaso.kiddaland.net/
 +
 
 +
; [[PTK]] has a timeline analysis tool.
 +
 
 +
; [[Simile Timeline and Timeplot]]
 +
: http://code.google.com/p/simile-widgets/
 +
 
 +
; [[sorter]] - [[Sleuthkit]]'s [[MAC times]] sorting program.
 +
 
 +
; [[TimeFlow]] - Visual timelines for investigation - source freely available
 +
https://github.com/FlowingMedia/TimeFlow/wiki/
 +
 
 +
; [[Timesketch]] - tool for collaborative forensic timeline analysis
 +
: http://www.timesketch.org/
 +
 
 +
; [[Zeitline]] - Forensic timeline editor
 
: http://projects.cerias.purdue.edu/forensics/timeline.php
 
: http://projects.cerias.purdue.edu/forensics/timeline.php
 
: http://sourceforge.net/projects/zeitline/
 
: http://sourceforge.net/projects/zeitline/
  
; [[sorter]] — [[Sleuthkit]]'s [[MAC times]] sorting program.
+
== External Links ==
 
+
* http://www.timeforensics.com/
  
 
[[Category:Tools]]
 
[[Category:Tools]]
 +
[[Category:Bibliographies]]
 +
[[Category:Timeline Analysis]]

Latest revision as of 07:51, 4 April 2015

Timeline formats

Bibliography

Papers

Tools

Aftertime - Java based application for creating timelines
http://www.holmes.nl/NFIlabs/Aftertime/index.html
log2timeline - An artifact timeline creation and analysis framework
http://log2timeline.net
https://blogs.sans.org/computer-forensics/2009/08/13/artifact-timeline-creation-and-analysis-tool-release-log2timeline/
https://blogs.sans.org/computer-forensics/2009/08/14/artifact-timeline-creation-and-analysis-part-2/
Plaso - A toolbox based on log2timeline providing tools to create and analyze timelines
http://plaso.kiddaland.net/
PTK has a timeline analysis tool.
Simile Timeline and Timeplot
http://code.google.com/p/simile-widgets/
sorter - Sleuthkit's MAC times sorting program.
TimeFlow - Visual timelines for investigation - source freely available

https://github.com/FlowingMedia/TimeFlow/wiki/

Timesketch - tool for collaborative forensic timeline analysis
http://www.timesketch.org/
Zeitline - Forensic timeline editor
http://projects.cerias.purdue.edu/forensics/timeline.php
http://sourceforge.net/projects/zeitline/

External Links