When you need to quickly narrow the scope of your investigation to analyze the data related to a crime or activity that occurred at a specific time, the Timeline explorer in Magnet AXIOM & Magnet AXIOM Cyber offers you an intuitive interface that surfaces time relevant evidence in a visual manner.
Not only can you filter down to a specific time or date range, using absolute or relative time filters, but you can also filter based on artifact type.
Absolute time filters are useful when an examiner is interested in a specific time range—say Monday, August 22, 2022, between 8:00AM and 10:00AM. Relative time filters allow an examiner to set an anchor point and filter to a desired period before and after that anchor; including the ability to use offset time ranges—say five minutes before and twenty minutes after a particular event.
Filtering based on artifact type allows you to cut through some of the noise in the dataset to focus on items of importance to an investigation.
Within Timeline explorer, if suspect communications are the primary focus of your investigation, you can filter out the other data, so you only have chats and related metadata during that date range. If you’re searching for malware propagation, Timeline can quickly get you down to the critical moments to see what’s happening at the system level.
Approaching an Investigation From a Timeline Perspective
There are several ways to approach an investigation from a timeline perspective. In AXIOM, you could always transition directly to the timeline view and begin to filter based on artifact type, but the sheer volume of artifacts presented in Timeline can be overwhelming without further context.
The absolute and relative time filtering capabilities in AXIOM provide great flexibility. Perhaps you have information on a case indicating activity of interest during business hours of a certain week. Using the absolute time filtering capabilities within AXIOM, you can quickly get to the artifacts of interest in that case.
The absolute time filter offers examiners the ability to apply logic to the filter such as all dates before, after, or between a certain date(s). It even offers the option to select weekdays, weekends, or specific days of the week.
Relative time filtering is yet another method for exploring data in the Timeline view in AXIOM. Examiners tell us they often locate an artifact of interest in the Artifact explorer of AXIOM, and using the relative time filtering capability, leverage that artifact as a pivot point into Timeline view. As an example, we have a Microsoft Edge download for a program which violates organization policy, with the download beginning at 5:52:12am on 04/FEB/2022.
Using the relative time filter, we can quickly apply a filter to let AXIOM show us only the activity on the system for five (5) minutes before the download began and ten (10) minutes after.
We can quickly pivot to Timeline view, apply an additional filter for program execution using the Timeline categories filter, and determine that our user not only completed the download of the unauthorized program, but—based on the Prefetch entries—launched the installer.
These are just two examples of using filtering to make locating information in Timeline faster within AXIOM that have been shared by other examiners. Timeline is an incredibly powerful feature within AXIOM and finding methods to cut through the noise and filter the volume of data so examiners can focus on activity of interest to an investigation is particularly helpful.
If you’re interested in Timeline explorer and you haven’t tried Magnet AXIOM, you can request a free trial now. If you’re already a customer, upgrade to the latest version over at the customer portal.
Other Ways Timeline Explorer Might Help
Timeline explorer allows you to cut through non-relevant case data and creates a visualization of your evidence based on the dates and timestamps available in your evidence sources. This includes timestamps reported by the file system and any timestamps parsed or carved from the artifacts in your case.
One of the unique aspects of Timeline explorer is that it incorporates a multi-artifact view, which automatically helps to surface the most case-relevant data.
For example, Timeline explorer highlights the Date/time, Timeline Category, Artifact, and then Key Detail for that artifact, supporting detail, and additional detail. Depending on the artifact, the information surfaced could be different.
For some chat artifacts, the key detail may be the senders ID, the supporting detail may be the receivers ID, and then the additional detail could be the message itself. For a file system artifact, the key detail may be the file name, supporting detail could be the file extension type, and then the additional detail could be the logical size of the file.
Ultimately, Timeline explorer adapts automatically to surface the most relevant evidence for the artifact at hand to help streamline your investigative needs.
If you’d like to learn more about the other Analytical Tools that are available with Magnet AXIOM, check out the blog, here.