Notifications
Clear all

Windows 10 Timeline  

Page 1 / 2
  RSS
LeGioN
(@legion)
Member

I could not see any posts here about the new Windows 10 update with the Timeline-function.. But I was curious to hear if anyone has any experience/thoughts about it? )

https://www.digitaltrends.com/computing/windows-10-timeline-hands-on/

Where would one find this information on the computer I wonder? )

Quote
Posted : 06/04/2018 11:35 am
tootypeg
(@tootypeg)
Active Member

hmmm, this interests me. Alot!

ReplyQuote
Posted : 06/04/2018 2:07 pm
LeGioN
(@legion)
Member

hmmm, this interests me. Alot!

Glad I am not the only one that finds this fascinating D
Seems to me that there is possible goldmine of information right there..
Would love to test myself, but the update is being rolled out on Tuesday and I am unfortunately away doing a training course next week. @

ReplyQuote
Posted : 06/04/2018 2:27 pm
tootypeg
(@tootypeg)
Active Member

im going to be all over this lol lol

ReplyQuote
Posted : 06/04/2018 2:56 pm
UnallocatedClusters
(@unallocatedclusters)
Senior Member

Thank you for alerting the forum to this new development.

In my civil practice, the attorneys I am working for ideally want a single document review database tool that can make a timeline out of not only email based activity, but text messages, phone calls, etc.

In ediscovery, a common challenge is defining a "master date sort" database field by which all evidence included in a particular discovery database such as Relativity (www.relativity.com) can be sorted chronologically.

Emails have Sent Date/Received Date dates
Word files have Created Date/Last Accessed Date/Last Modified Date date values

So, the question is, what metadata date values is Microsoft using to generate their new Timeline feature???

For application usage, I believe metadata dates would be stored and culled from the Windows Registry.

Tools such as NUIX will process electronic discovery, meaning create a searchable index of electronic native files.

However, NUIX, nor any other tool I am familiar with, will automatically generate a "Master Date Sort Field" culled from all of the types of evidence ingested into a given Nuix database.

Our practice is to use a script to copy the desired metadata date values from each given database record Nuix has generated (such as pulling the Sent date or Received date from emails and pulling the Last Modified date from loose Office type files (Word/Excel/PDF/PPT/etc)) and then combining the desired metadata date values into a custom "Master Date Sort Field" which is then incorporated into the Relativity native review load files we export from NUIX.

To see Relativity native review load file metadata fields Page 5 Addendum A here https://www.sec.gov/divisions/enforce/datadeliverystandards.pdf

You will see on the SEC's excellent load file specification, there is no "Master Date Sort Field" because, from my experience, neither forensic nor ediscovery tools automatically generate a "Master Date Sort Field".

ReplyQuote
Posted : 06/04/2018 6:30 pm
keydet89
(@keydet89)
Community Legend

Tools such as NUIX will process electronic discovery, meaning create a searchable index of electronic native files.

However, NUIX, nor any other tool I am familiar with, will automatically generate a "Master Date Sort Field" culled from all of the types of evidence ingested into a given Nuix database.

Have you contacted your SC or sales rep? It's possible that the functionality is there (I'm assuming that as you've mentioned ediscovery that you're using WRA, not Workbench), or that it can be easily scripted.

HTH

ReplyQuote
Posted : 06/04/2018 9:41 pm
UnallocatedClusters
(@unallocatedclusters)
Senior Member

Definitely one can create a script in NUIX to create a custom "Master Date Sort" field to be included in Relativity load file exports.

However, my point is that one's choice of which metadata fields to include in a "Master Date Sort" field seems to be subjective and requiring expert consultation (do we include email sent date or email received date? do we include Last Modified / Last Accessed or Date Created for Office type files? What specific date values does one include for execution of applications?

Our practice has chosen fields and made a script to create a "Master Date Sort" field for our exports, but I am curious how the Microsoft developers created the new Windows Timeline feature.

To create a timeline, one must have date values, which can be culled from the Windows registry and other locations such as date and time stamps pulled from Skype's main.db contained in an iOS mobile backup).

Hopefully this addresses the original poster's question, "Where would one find this information on the computer I wonder?"

ReplyQuote
Posted : 07/04/2018 6:22 pm
tootypeg
(@tootypeg)
Active Member

is this feature currently available then or is Tuesday (as u mentioned) the first we will see of this? I don't have access to a win10 machine yet to validate but after some googling - has this be available for a good while?

ReplyQuote
Posted : 07/04/2018 9:40 pm
LeGioN
(@legion)
Member

A bit delayed.. But the timeline update is finally out )

https://www.pcworld.com/article/3263905/windows/windows-10-how-to-use-timeline.html

ReplyQuote
Posted : 02/05/2018 7:10 am
pr3cur50r
(@pr3cur50r)
Junior Member

I had a very quick poke around this weekend

https://salt4n6.wordpress.com/2018/05/05/windows-10-timeline-forensic-artefacts/

ReplyQuote
Posted : 06/05/2018 12:13 pm
LeGioN
(@legion)
Member

I had a very quick poke around this weekend

https://salt4n6.wordpress.com/2018/05/05/windows-10-timeline-forensic-artefacts/

Well done D

ReplyQuote
Posted : 07/05/2018 7:16 am
AlexC
(@alexc)
Active Member

We also had a play with it at the end of last week.

https://cclgroupltd.com/windows-10-timeline-forensic-artefacts/

More work to do, but some encouraging finds in there!

ReplyQuote
Posted : 08/05/2018 2:57 pm
LeGioN
(@legion)
Member

We also had a play with it at the end of last week.

https://cclgroupltd.com/windows-10-timeline-forensic-artefacts/

More work to do, but some encouraging finds in there!

Oooh.. I like that )
Lovely findings you have there! )

ReplyQuote
Posted : 09/05/2018 8:26 am
AlexC
(@alexc)
Active Member

We also had a play with it at the end of last week.

https://cclgroupltd.com/windows-10-timeline-forensic-artefacts/

More work to do, but some encouraging finds in there!

Oooh.. I like that )
Lovely findings you have there! )

The UserEngaged stuff has real potential I think - needs more testing to work out precisely how the service populating it works/what its limitations are though.

ReplyQuote
Posted : 09/05/2018 10:14 am
tootypeg
(@tootypeg)
Active Member

Im currently testing and working on this but all of a sudden my timeline has stopped recording stuff evil evil evil evil evil evil evil evil evil evil evil evil evil evil evil evil

whilst this is annoying, it also makes me wonder where the hell everything has gone, why has it gone and what impact this has on an investigation.

ReplyQuote
Posted : 09/05/2018 10:18 am
Page 1 / 2
Share: