Using IEF v6’s New Timeline Feature To Reconstruct User Activity

Welcome to Magnet Forensics’ newest IEF feature, IEF Timeline.

IEF Timeline provides a visual representation of your cases’ data. IEF Timeline allows you to move through time as events happen on a computer, allowing you to simply pinpoint activity at a particular point in time and easily cross reference the activity between artifacts. This can add a whole new dimension to your investigation, allowing you to reconstruct user activity and see events as they happened in chronological order.  

You can open an IEF case in Timeline directly from IEF Report Viewer v6.0+ with just a single click, or launch IEF Timeline separately from the Start menu. IEF Timeline supports viewing IEF Cases, and TLN files (a standard timeline format).

IEF Timeline

When Timeline opens, you are greeted with two options; open an IEF Case, or open a TLN file.

IEF Timeline

Let’s go ahead and open an IEF case by selecting the case folder that you want to analyze.

IEF Timeline

Once you select a case, Timeline will begin processing the data and creating the timelines. If IEF Timeline is launched from report viewer it will automatically load the current case you are viewing. 

IEF Timeline

When the artifacts are loaded, you are presented with a screen containing 3 defined sections: the Artifact List (1), the Timeline Overview (2), and the Main Timeline View (3).

(1)    The Artifact List allows you to choose which timeline’s you would like to see in the main area. You can narrow your selection to just look at a specific artifact such as SkyDrive, a combined set of results such as IEF’s “Refined Results”, or simply everything in the case with the “All Results” tab.  

(2)    The Timeline Overview gives you a holistic view of the entire timespan of the data in the case. It allows you to adjust your visible region to a specific date, as well as panning and adjusting the current visible region.  

(3)    Finally we have the Timeline main area, which is a fully interactive playground of data. This is where you will see the spikes of internet activity.

IEF Timeline

Clicking on a time block, as seen above displays the set of events that occurred in that date/time range. You can select multiple blocks by holding down Control and clicking other blocks, or holding Control and dragging to select a range of blocks. In this particular case you can see that Google Drive was used to transfer the file ICQ.7z. Then, 2:38 minutes later, there was ICQ7 chat activity.

As you zoom in, the data becomes more granular, making it easy to pin point the events that happened between two times. There are multiple ways to zoom-in:

  1. Mouse wheel scrolling in on the main timeline area
  2. Use the zoom slider at the top right
  3. Shift + Click Drag to highlight a region to zoom-in to
  4. Use the grips on the sides of the visible region in the Timeline Overview to fine tune your visible region

You can navigate freely in all directions by clicking and dragging any lane the main timeline area.

You can export the selected data or all data in timeline to three different formats HTML, PDF, and TLN. More formats will be supported in future versions.

IEF Timeline

In combination with IEF Report Viewer, you have the ability to view Report Viewer’s bookmarks, search results, search alerts and filters in Timeline. You can simply switch views by selecting one of the databases in the dropdown at the top right. 

TLN Format

The TLN format, defined by Harlan Carvey, is similar to a CSV file in the sense that values are separated, in this case by horizontal pipes ‘|’. In a TLN file, there are 5 values per line that follows the following format:

Time of Event | Location | Source | Artifact Name | Description

We hope that provides more detail on why IEF Timeline  could assist you in your investigations and how to use it. Please feel free to contact us with any questions or suggestions, as always.

Thanks for your support!
Jad and the Magnet Team