Join Us!

X-Ways 16.9 Timelin...
 
Notifications
Clear all

X-Ways 16.9 Timeline Support  

  RSS
TuckerHST
(@tuckerhst)
Active Member

The new Event List feature of X-Ways 16.9 (released today) makes timeline analysis much easier.

It's unfortunate that file system timestamps in the Event List bear a precision of whole seconds, as it's sometimes helpful to identify files possibly originating on FAT vs NTFS/HFS+. I left a message to this effect in the X-Ways forum.

Nevertheless, I like the direction X-Ways is heading.

Quote
Posted : 07/02/2013 3:40 am
Adam10541
(@adam10541)
Senior Member

I haven't had a play with this yet but I remember asking for a timeline quite a few years back and being told it was a very low priority…..Stefan wasn't kidding!

Am I wrong in assuming you can select certain files, then produce a timeline graphic or report for those files?

ReplyQuote
Posted : 07/02/2013 6:51 am
TuckerHST
(@tuckerhst)
Active Member

Adam, in Refine Volume Snapshot, in the options associated with "Extract internal metadata, browser history and events" are two checkboxes, as follows

[ ] Provide file system level timestamps as events
[ ] Provide internal timestamps as events

Obviously, you would have to check those. Then, when Refine Volume Snapshot is finished, you can view the Events table by clicking the clock icon. This was a little confusing to me at first. The clock icon is just above the preview pane, to the right of the binoculars icon that toggles the view between a directory listing and search hits. Events works in a similar way and when selected, displays the events gathered during Refine Volume Snapshot. Once the Events list is displayed, you can sort, filter, and export.

The feature is a little buggy (e.g., the first few column headings in the exported text file are incorrect). It's also limited in terms of what events get identified, the details associated with them (e.g., the "Visited" event simply refers to Index.dat with no further details as to which URL was visted), the control over filtering (i.e., can't filter on Event Type and Category), and, as regards file system metadata, lacking precision beyond whole seconds. Nevertheless, it's a good start.

I've only been exploring it for a couple of hours, so it's possible I've missed a few things. YMMV.

ReplyQuote
Posted : 07/02/2013 7:43 am
EricZimmerman
(@ericzimmerman)
Active Member

Remember the new events thing is more metadata driven, else we could just use the previously existing calendar mode.

It is a new approach from the traditional timeline related stuff with MAC dates from the file system in that all the internal dates and times are extracted and used in addition to the classic timeline stuff.

which column headers did you notice were incorrect on export?

i was able to see precision lower than 1 second if Options | General | Notation | Seconds was checked. by default its 3 decimals after the second and thats the highest it can be.

i am sure we will see constant improvement in Service releases as people start using 16.9 full time.

ReplyQuote
Posted : 07/02/2013 8:44 pm
TuckerHST
(@tuckerhst)
Active Member

Eric, thanks for the tip about millisecond precision. I'll try that out. As for the column heading bug, I'll document an example and post it. The Events feature is obviously preliminary (it barely scratches the surface), but I really like the approach.

ReplyQuote
Posted : 08/02/2013 12:56 am
EricZimmerman
(@ericzimmerman)
Active Member

i was able to replicate the bug. i believe stefan already has it fixed. id expect an SR in the next day or so =)

each SR will most likely add more artifacts to the timeline as well.

good stuff!

ReplyQuote
Posted : 08/02/2013 12:57 am
TuckerHST
(@tuckerhst)
Active Member

What would be really helpful would be thorough documentation of what events are gathered into the Events table. For example, the internal metadata in Office files (e.g., Last Printed) seems like low-hanging fruit. However, in my test, I didn't see any Last Printed events. Accordingly, I don't know whether the feature is buggy or X-Ways isn't attempting to gather that data yet.

ReplyQuote
Posted : 08/02/2013 1:09 am
EricZimmerman
(@ericzimmerman)
Active Member

are you seeing last printed in the metadata column for those documents in the primary directory browser?

ReplyQuote
Posted : 08/02/2013 1:12 am
TuckerHST
(@tuckerhst)
Active Member

Eric, I don't have details at the moment as I'm working on another matter. Sounds like you're immersed in it right now and if you happen to learn anything more about it (including that I'm simply wrong on this), I'm open to your discoveries.

And a supported Event list would be nice. )

ReplyQuote
Posted : 08/02/2013 1:19 am
TuckerHST
(@tuckerhst)
Active Member

Ok, I took a few minutes to check on metadata. In the extract metadata options in Refine Volume Snapshot, as you're probably aware, selecting the checkbox to place metadata in its own column is followed by an "are you sure" dialog box which serves to discourage the user from doing this. Nevertheless, when I say yes and run it again, nothing else happens (at least to the file known to have a "Last Printed" value in its details). I saw this behavior when first trying out the Event list, too. It seems to require running a new volume snapshot, which is obviously less than optimal.

When I took a new volume snapshot, and opted to store metadata in a column, X-Ways successfully extracted a Last Printed date and put it in the metadata column for my test file. However, it still doesn't show up in the Event list.

Incidentally, have you tried sorting the Event list by type? It follows some arbitrary sorting scheme in which Access appears between Modification and Record Change.

In short, this is a great feature-in-progress. It's limited, buggy, and full of promise.

ReplyQuote
Posted : 08/02/2013 3:14 am
EricZimmerman
(@ericzimmerman)
Active Member

i wouldnt thing a new VS would be required, but youd have to RVS again with that option turned on. the VS would just see the doc file there. at that point it doesnt go into it to get metadata.

ill set up some tests and kick the tires on that specifically.

ReplyQuote
Posted : 08/02/2013 3:17 am
Share: