±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 3 Overall: 35980
New Yesterday: 5 Visitors: 163

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Videos

±Latest Jobs

Windows 10 Timeline

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Page 1, 2, 3  Next 
  

LeGioN
Member
 

Windows 10 Timeline

Post Posted: Apr 06, 18 10:35

I could not see any posts here about the new Windows 10 update with the Timeline-function.. But I was curious to hear if anyone has any experience/thoughts about it? Smile


www.digitaltrends.com/...-hands-on/

Where would one find this information on the computer I wonder? Smile  
 
  

tootypeg
Senior Member
 

Re: Windows 10 Timeline

Post Posted: Apr 06, 18 13:07

hmmm, this interests me. Alot!  
 
  

LeGioN
Member
 

Re: Windows 10 Timeline

Post Posted: Apr 06, 18 13:27

- tootypeg
hmmm, this interests me. Alot!


Glad I am not the only one that finds this fascinating Very Happy
Seems to me that there is possible goldmine of information right there..
Would love to test myself, but the update is being rolled out on Tuesday and I am unfortunately away doing a training course next week. :@  
 
  

tootypeg
Senior Member
 

Re: Windows 10 Timeline

Post Posted: Apr 06, 18 13:56

im going to be all over this Laughing Laughing  
 
  

UnallocatedClusters
Senior Member
 

Re: Windows 10 Timeline

Post Posted: Apr 06, 18 17:30

Thank you for alerting the forum to this new development.

In my civil practice, the attorneys I am working for ideally want a single document review database tool that can make a timeline out of not only email based activity, but text messages, phone calls, etc.

In ediscovery, a common challenge is defining a "master date sort" database field by which all evidence included in a particular discovery database such as Relativity (www.relativity.com) can be sorted chronologically.

Emails have Sent Date/Received Date dates
Word files have Created Date/Last Accessed Date/Last Modified Date date values

So, the question is, what metadata date values is Microsoft using to generate their new Timeline feature???

For application usage, I believe metadata dates would be stored and culled from the Windows Registry.

Tools such as NUIX will process electronic discovery, meaning create a searchable index of electronic native files.

However, NUIX, nor any other tool I am familiar with, will automatically generate a "Master Date Sort Field" culled from all of the types of evidence ingested into a given Nuix database.

Our practice is to use a script to copy the desired metadata date values from each given database record Nuix has generated (such as pulling the Sent date or Received date from emails and pulling the Last Modified date from loose Office type files (Word/Excel/PDF/PPT/etc)) and then combining the desired metadata date values into a custom "Master Date Sort Field" which is then incorporated into the Relativity native review load files we export from NUIX.

To see Relativity native review load file metadata fields Page 5 Addendum A here: www.sec.gov/divisions/...ndards.pdf

You will see on the SEC's excellent load file specification, there is no "Master Date Sort Field" because, from my experience, neither forensic nor ediscovery tools automatically generate a "Master Date Sort Field".  
 
  

keydet89
Senior Member
 

Re: Windows 10 Timeline

Post Posted: Apr 06, 18 20:41

- UnallocatedClusters

Tools such as NUIX will process electronic discovery, meaning create a searchable index of electronic native files.

However, NUIX, nor any other tool I am familiar with, will automatically generate a "Master Date Sort Field" culled from all of the types of evidence ingested into a given Nuix database.


Have you contacted your SC or sales rep? It's possible that the functionality is there (I'm assuming that as you've mentioned ediscovery that you're using WRA, not Workbench), or that it can be easily scripted.

HTH  
 
  

UnallocatedClusters
Senior Member
 

Re: Windows 10 Timeline

Post Posted: Apr 07, 18 17:22

Definitely one can create a script in NUIX to create a custom "Master Date Sort" field to be included in Relativity load file exports.

However, my point is that one's choice of which metadata fields to include in a "Master Date Sort" field seems to be subjective and requiring expert consultation (do we include email sent date or email received date? do we include Last Modified / Last Accessed or Date Created for Office type files? What specific date values does one include for execution of applications?

Our practice has chosen fields and made a script to create a "Master Date Sort" field for our exports, but I am curious how the Microsoft developers created the new Windows Timeline feature.

To create a timeline, one must have date values, which can be culled from the Windows registry and other locations such as date and time stamps pulled from Skype's main.db contained in an iOS mobile backup).

Hopefully this addresses the original poster's question, "Where would one find this information on the computer I wonder?"  
 

Page 1 of 3
Page 1, 2, 3  Next