a timeline would also give you a clue if the .part files are contestualized with the use of firefox.
you would probably see browsing activities, url visits and so on, in the proximity of the create date of part files… i'd say.
Since you already have a suspicion that it is Firefox, I wouldn't bother with a timeline yet. I would take a test VM, do various tests with Firefox, and see if you can create analogous files on your own. Why waste the step of making a timeline if you may already have the answer?
"Waste the step"?
Well, my thinking is that if he does a timeline, and if he sees that Firefox is executed just prior to the .part files being created, he then has to replicate the creation of the .part files anyways.
Since he suspects that Firefox created the .part files, he could cut out the timeline and try and replicate the .part files, saving the time of creating the timeline (even if it is quick and easy).
Time is money, and if he can get to the answer quicker (and still have it be right), all the better. That's all I meant.
Well, my thinking is that if he does a timeline, and if he sees that Firefox is executed just prior to the .part files being created, he then has to replicate the creation of the .part files anyways.
Since he suspects that Firefox created the .part files, he could cut out the timeline and try and replicate the .part files, saving the time of creating the timeline (even if it is quick and easy).
IMHO, that's where the problem lies.
If the OP creates a timeline and sees Firefox being executed just prior to the .part files being created, he'll have not just that information, but also which web site the user had accessed, as well.
I think that the problem I ran into was "suspects"…too many times I see analysts making assumptions about what happened when it's trivial to actually determine what did happen.
Time is money, and if he can get to the answer quicker (and still have it be right), all the better. That's all I meant.
I think that the difference in opinion here, between us, is that with my experience in creating and analyzing timelines, I find it trivial to do this…but I also realize that if an analyst hasn't been developing timelines, it can seem like an insurmountable task.
As such, what I took away from your comment…and I may be completely off base here…is "take a guess and hope you're right", whereas my line of thinking is, create a timeline and know for sure.
Just a difference of perspectives that has led to a difference of opinions, is all…