Viewing the timeline

Get a singular view into what's happening in your case with the Timeline explorer where you can see a flat timeline of all timestamped evidence from the Artifacts and File system explorers. The Timeline explorer is useful if you have an idea of when an event occurs and want to see if there's a spike in a suspect's online activity during that time—or, you might have already identified an important piece of evidence and want to build a story around it using results that occur before and after.

The Timeline explorer includes a visualization of time in an interactive graph where you can examine specific timeframes, identify spikes in activity, focus on specific dates, and establish patterns in behavior.

Below the graph, you'll find timestamped evidence from the Artifacts and File system explorers ordered chronologically. To help you review and analyze the evidence with ease, you'll find additional details and high-level categorization of the evidence by timeline category—such as browser usage, file/folder opening, user event, and more.

When you click an evidence item, you can view more artifact information. Depending on whether the item originated from the Artifacts or File system explorer and the type and format of the artifact, you will have the option to view a preview of the artifact, review media categorization details, review artifact details, or view raw file system artifact data in text and hex.

To help decrease the scope of evidence to be searched, apply filters to the data, such as data types, timeline categories, date/time ranges, and more.

Build the timeline manually

AXIOM Examine builds the timeline from timestamped evidence from the Artifacts and File system explorers. By default, the timeline doesn't build when you create a case, but you can configure AXIOM Examine to build the timeline automatically.

  1. In AXIOM Examine, on the Tools menu, click Build timeline.

You can see the progress while timeline is building in the Timeline explorer or the status bar.

While the timeline is building, you can continue to browse through your case and add tags, comments, filters, and profiles. Once you've built the timeline initially, AXIOM Examine refreshes the timeline if you add new evidence.

Build the timeline automatically

By default, you must manually start building the timeline in your case. You can change this setting to automatically build the timeline.

  1. In AXIOM Examine, on the Tools menu, click Settings.
  2. Under Post-processing, select the Automatically build timeline on case open check box.
  3. Click Okay.

View the timeline

After AXIOM Examine builds the timeline, you can view all timestamped evidence in your case from the Artifacts explorer and File systems explorers—in chronological order—in the Timeline explorer. 

  1. In AXIOM Examine, open the Timeline explorer.
  2. Select a date or date range of evidence that you'd like to zoom into as a starting point.
  3. Click Okay.

Details about all the artifacts in the spike appear in the evidence table below the timeline graph. Items that have multiple timestamps appear in the Timeline explorer once for each timestamp, and you can quickly move between timestamps in the timeline for a single hit item when a hit has multiple timestamps.

Tips for navigating the timeline graph

  • To get a closer look at a particular time in the graph, scroll the track wheel on your mouse or toggle the Zoom option.
  • To move backward or forward in time, click the graph and drag your mouse left or right. To quickly jump backward or forward in time, you can also click through the Next page and Previous page options.
  • To view the date and number of hits for a spike, hover over a node in the graph. The date/time format updates according to how you're viewing hits in the timeline (by year, month, week, day, hour, or minute).
  • To analyze hits in a spike in the timeline, click a node in the timeline graph. AXIOM Examine automatically jumps to the first timestamped item for the activity spike in the evidence table below the timeline graph.
  • To change how you view the timeline—by years, months, weeks, days, hours, or minutes—change the date type. The horizontal axis below the graph updates to reflect your selection.
  • To focus the graph to a specific date range, click Go to date to choose your desired date range.
  • To help decrease the scope of evidence to be searched, apply filters to the data, such as data types, timeline categories, date/time ranges, and more.

Export timeline data

If you want to share evidence from the timeline, export it to a .csv file.

  1. In AXIOM Examine, in the Timeline explorer, select and right-click items that you want to export.
  2. Click Create report / export.
  3. In the Export type drop-down list, click CSV.
  4. Next to the File path field, click Browse and select the location you want to save the export. Click Select folder.
  5. Click Create.

Timeline categories

Category Description Example
Account usage Evidence of a user account or system account being accessed or used.

Login/logout

Password changes
Browser usage Evidence of the target using a browser or navigating web related activity on the computer or phone.

Browser last visit date/time

Cache/cookies from browsers
Deleted file Indicates that a file has been deleted. While the file might not be accessible any more, there is a timed record representing its deletion. Recycle Bin deletion date/time
Device interaction Indicates the user or system interacted with an external device that was not the computer or phone being examined. IoT devices such as Google Home, Amazon Echo, OnStar or other cars, and more.
External device/USB usage Evidence of a USB or other external device being connected to the system.

USB first connect date/time

USB last connect date/time
File download Indicates that a file was downloaded from an external source.

Chrome download activity

Skype file transfers
File knowledge Indicates a user or system has interacted with the file in some way, but it might not be known whether the file was actually opened or not. MAC times
File/folder opening Evidence of a user opening a file or folder.

Jumplists

Shellbags

LNK files
Financial transactions Indicates an exchange of currency or services has occurred.

Wallet transactions

Samsung Pay
Network activity A timestamp of a network action or activity that occurred on the computer or phone.

WiFi connections

Authentications

RDP activity
Physical location A timestamp placing the user or device at a specific location at a given time based on GPS coordinates or a physical address.

iOS cached locations

Significant locations
Program execution Evidence of an application or program being run at a specific time. Prefetch last run time
Social activity Evidence of public interactions through applications or service.

Instagram posts

Tweets

Facebook Wall posts
User communication Evidence of any sort of private or semi-private group chat through applications or services.

Chat messages

Email

Direct messages
User event Evidence related to an event outside the system or user’s account usage. Calendar events such as meetings or birthdays