Computer Forensic Timeline Analysis with Tapestry

Computer forensics requires applying computer science to answer legal questions. Arranging events chronologically is a good way of telling a clear, concise story. As valuable as date-- and time--based information often is to a case, none of the leading forensic tools offer usable date and time oriented tools. Log2timeline is an excellent tool for extracting date and time based information from digital evidence. In fact, the amount of information it extracts can overwhelm the examiner. Most computer forensic timeline tools focus on either collection or presentation of timeline data. But few options exist for storing the large amount of data, much less managing it throughout the analysis process, through which a data set is reduced to its most representative and relevant set of facts. By organizing timeline data so that it can either be viewed in summary or 'drilled down' in detail, the sense of overwhelm that computer forensics examiners experience while analyzing the large data sets that accompany timeline analysis can be reduced. This approach to organizing the data has proven effective in increasing the usefulness of other large data sets, such as intrusion detection databases. A converter for log2timeline output and an Apache--MySQL--PHP web application are described.