Timelines In Digital Forensic Investigation: From Investigation To Court

Timelines have become a mainstay of digital forensic analysis in both public and private sectors. They help to explain what was happening on a given device or set of devices during a cybersecurity incident, a crime, a collision, or other event. Part of broader pattern of life analysis, the timeline helps to frame the situation to explain to customers, attorneys, juries, and other stakeholders.

At three recent digital forensics conferences — the National Cybercrime Conference (NCCC), the SANS DFIR Summit, and the Digital Forensics Research Workshop (DFRWS) — various aspects of timelines were presented:

  • At DFRWS, Dr. Hans Henseler spoke about “digital traces” and their value to investigations when physical traces are either unavailable or tell only part of a story.
  • At NCCC, Geraldine Blay and Alexis Brignoni relied on a case study to show how a timeline of user activity helped solve a triple homicide.
  • At the SANS DFIR Summit, Alexis Brignoni teamed with Josh Hickman to focus on Android Digital Wellbeing data and how it showed device usage.
  • Also at NCCC, two tool demonstrations showed how timeline sequences can be visualized.

Providing activity-level evidence via digital traces

Hans Henseler, a researcher at the Netherlands’ University of Applied Sciences Leiden, began his DFRWS talk by recalling the investigation process’ ultimate goal: to reconstruct what happened, presenting a narrative about an event in the past that is coherent, believable, and supported by sufficient evidence.

Henseler drew a parallel between physical and digital trace evidence, using an analogy to Locard’s Principle — that every interaction leaves a trace or transfer of matter — to argue that the same is true of information. 

He differentiated between “source level” and “activity level” evidence; in other words, refocusing from who or what deposited the evidence — which is often insufficient to relate a suspect or object to a crime — to how it got there.

Doing this forms the basis for what he called “anchored narratives”: the plausible, coherent, logical sequence of actions that generate evidence which anchors the narrative and thus determines its quality.

Events have only limited physical consequences, Henseler explained, which can be caused by any variety of events. These physical traces are used to form hypotheses or validate reconstructions built from other traces.

However, he added, while activity-level evidence evaluation is already applied to physical evidence such as DNA, fibers, glass, paint, gunshot residues and fingerprints, it is not yet applied to digital evidence. At the same time, digital evidence is ideal for this type of investigation because digital data provides more information on event sequences and locations.

That’s where pattern of life analysis comes in, particularly via Android’s Wellbeing and iOS’ Screentime features. Conscious behavior around app usage — such as emails, social media posts, video watching, etc. — can be mapped together with the kind of biometric access control and time trackers that can help map unconscious behavior.

Put together alongside content in a timeline, said Henseler, this evidence can help to validate hypotheses at the source level as well as the activity level — for both cybercrime and more traditional forms of crime. Digital traces, he explained, can often link different questions about persons (who), activities (what), places (where) and times (when).

As such, they can help in selecting and prioritizing digital traces to investigate, as well in supporting case narratives at trial. To illustrate this, Henseler used three Dutch criminal cases, including the activity-level narratives presented by both prosecutors and defense, as well as how digital evidence supported the most likely scenario.

Case study: Timelining user-generated activity

The triple murder of Cody, Chad, and Margaret Amato in Seminole County (Florida) in January 2019 captured national attention. How police actually solved the case, relying almost entirely on digital evidence in the absence of relevant traditional physical evidence — a murder weapon, DNA, fingerprints, shoe impressions, etc. — was the subject of this NCCC presentation by Geraldine Blay, a digital forensic examiner with the Seminole County Sheriff’s Office, and Alexis Brignoni, a digital forensics researcher and blogger.

With just six months to analyze 20 terabytes of digital evidence from 35 devices — among them multiple gaming computers (including virtual reality systems), phones, and other technology — on this one case alone, Blay focused on timelines, establishing each family member’s patterns of life both before and on the day of their deaths. That way, spotting the deviations from those patterns could be of interest.

To do this, she needed to examine those 20TB in their totality, not treating any of the devices as irrelevant. For example, computer password patterns enabled her to guess an iPhone password so she could acquire that evidence. “[What used to be] thinking ‘outside’ the box is now the [entire] box,” she explained.

Among the questions Blay sought to answer: how long one victim’s phone remained unlocked after his time of death, compared to before he died; data about app installs and uninstalls; and when, for example, banking apps were accessed.

To that point, she said, it’s imperative to get detectives out of the habit of thumbing through phones for information. “It changes the data and screws up the timeline,” she said. “Instead, they should take [the device] into custody and call forensics.”

Because at that time, forensic tools offered little support, Blay relied on Sarah Edwards’ APOLLO, plus SQLite queries along with Brignoni’s Mobile Installation Logs Parser, to validate her findings. “Verify your tools, don’t just trust them,” she stressed. Because some tools might record timestamps differently, it’s critical to normalize them — and to reach out to vendors so they can fix any problems.

Even so, some of the data needed to be verified based on access logs from app service providers, including banks. “Preservation letters are important,” said Blay, explaining that user logs are “highly volatile” when many providers only maintain them for a few days — or hours. “You have to move expeditiously on these,” she said. 

Employers, who maintain work activity records such as logins and other work remotely, also corroborated these patterns. Blay said corroborations like these are important in case a judge rules some evidence is inadmissible.

At the same time, she added, digital evidence is “more useful than eyewitness testimony, which can be unreliable. The digital evidence is emotionless. It is what it is.”

Healthy Android exams: Timelining Digital Wellbeing data

Later that same week, Brignoni teamed up with Kroll senior associate Josh Hickman to focus on a specific source of timeline data: the Android Digital Wellbeing database. Introduced in 2018 and rolled out more widely in late 2019, Wellbeing features help users keep track of application usage, device unlocks, notifications received, and many more pattern-of-life data points by month, day, hour, and even down to the second.

Timelining, they said, puts this data in context with other artifacts. Events aren’t always mirrored across the Wellbeing and usagestats or event logs, so the additional data can offer more insights about user activities.

Brignoni and Hickman’s research was based on output from three devices: a Google Pixel 3, a OnePlus 7T, and a Samsung Galaxy A30 (Samsung has its own version, with different APK and database names.) They focused on three artifacts: system events, URL events, and the account tied to the user.

To get a sense for app usage, device shutdowns, and power-ups, they used a SQL query to pull Events and Packages tables together, then a second query to obtain screen data from the Wellbeing database — app_usage in the Pixel 3 and OnePlus 7T and dwbCommon.db in the Samsung device. In some cases, they said, when the user has enabled Wellbeing to import and record web history (not possible on Samsung devices), that may also be available.

Digital Wellbeing does have its limits. For one, the user can disable it. Its retention time is restricted (although, Brignoni and Hickman said, no information exists on when data starts to be overwritten). 

It also doesn’t keep data on deleted apps, though this activity can be determined from usage stats; for instance, what the app was doing before it was deleted. For more about this, including device personalization services (DPS) designed to track contextual, habitual (not as granular as Wellbeing data in some instances) user data, see Hickman’s blog series: Part 1 and Part 2.

To get Digital Wellbeing data, a file system acquisition of some kind is needed; from there, Brignoni’s Android Logs, Events, and Protobuf Parser (ALEAPP) Python script is designed to put it all together. Examiners who want to run their own tests are encouraged to work from Hickman’s well-documented Android and iOS images, available at Digital Corpora.

Visualizing timelines through the use of tools

At the National Cybercrime Conference, two tools were showcased that offer value in timeline-building: CrimeLines™ presented by Brian Carney, president of WIN Interactive; and Truxton presented by Dave Ryberg.

Carney set off his demo of CrimeLines software by focusing on how interactive timelines could aid both the investigation and prosecution of complex cases. Created pretrial, timelines can help to prepare both witnesses and prosecutors. During trial, they can keep witnesses on task while testifying, anchoring their narrative with key details. Clear, concise, persuasive visual stories help to engage jurors and judges, Carney said, combatting decreasing attention spans with well-organized evidence.They maximize the impact of evidence, punctuating facts to demonstrate how a narrative does or doesn’t make sense.

That’s especially true when it comes to explaining complicated events. Rather than rely on a sequence of witnesses to verbally describe what happened when, timelines are easier to absorb when they link events, display junctures, and expand where needed.

While developing these kinds of visuals, Carney said, attorneys need to figure out what stories they’re trying to convey: the general big picture and/or, for complex cases, a more specific story or piece of their case. To that end, he recommended relying on “SMART” exhibit design: one that takes into account space, media, access, relationships, and time based on how a case is oriented. For instance, Carney said, most homicides are spatial, while time relationships are more significant in white collar crime or cases where communications were pivotal.

Carney talked about two types of timelines:

  • Static ones displayed on a posterboard or screen that summarize the narrative and can be left up throughout the duration of trial.
  • Dynamic or interactive ones that are scrollable, can rely on colors and icons as story elements, and allow for zooming into specific periods — and linking the audio, video, pictorial, or documentary evidence behind each event, which can help with authentication.

Truxton Forensics’ Dave Ryberg got specific about “Creating Automated Timelines from Disparate Forensics Tool Images,” leading attendees through a demo loading multiple forensic images from different acquisition tools. By putting disparate photos, USB activity, network and RDP connections, messaging/communications, and document activity together, users can identify relationships between case events and forensic artifacts.

Most acquisition tools, said Ryberg, lack the ability to aggregate pieces of evidence together and look at all the pieces of media simultaneously in timeline format. That’s particularly true of large images in high volumes and a wide variety of media.

Coming from the intelligence community, Truxton aggregates disparate media, then exploits, aggregates, correlates, automates, and reports the data. In cases when you don’t know what time something happened — for example, a theft — it’s possible to construct a timeline based on activity type: network connections, downloads, copies, social logins, phone calls, executables, photos taken, etc.

Echoing Carney’s presentation, Ryberg said a visual timeline can help show a cohesive picture to a jury, quickly getting to the bottom of a case.

Have timelines helped you in your investigation or courtroom testimony? Let us know!

Christa Miller is a Content Manager at Forensic Focus. She specializes in writing about technology and criminal justice, with particular interest in issues related to digital evidence and cyber law.

Leave a Comment