In our training courses, we push ideas and investigative methodology more than we push our tools. Tools will change, but proper investigative methods will not change. Asking the right questions will enable success while following a robust investigative methodology.
Without performing the discipline of timeline analysis in simple or complex cases, context and hidden motives and clues or meaning can be completely missed. Timeline analysis is essential because every moment in an incident or investigation is referenced over and over again, making this simple task invaluable.
Timeline analysis can help uncover hidden motives, new suspects, or enable more insight into events. The study of the frequency of events can illuminate formerly unknown or unseen patterns.
In broad strokes, the value of an investigation is about uncovering a hidden story and looking at different moments, and the relationship to entities can help build out that picture. Here are a few quick rules we use with what to timeline and how.
Types of Timelines
First, have two sets of timelines: the everything timeline and the timeline selected for hyper-focused perspectives.
- When visualized – Look for larger clusters.
- Observe unknown correlations.
- Very helpful for when we don’t know what we are looking for.
- Look for clear signal versus noise.
- Look for cause-and-reaction type events.
Cause and reaction-like events are beneficial. In one case I had been working, we had identified suspects that had been using encrypted messaging and telephone applications. As events would unfold, the suspect with call others in the encrypted telecommunication application. Since we had acquired backups of his phone, we were able to see within the timeline who was contacted when specific events occurred. We didn’t know what they talked about, but we did know who was contacted by whom when under stress , enabling higher prioritization and clustering of suspects.
How can you start with timeline analysis?
You first want to map out the “who.” An example may be all people or systems that may have interactions. Map who needs to be on the timeline, then you need to map out “what” happened and “when.”
- Map out Who.
- Map out What.
- Add in the visualized timeline.
Creating your first Timeline
- Create XLS Spreadsheet.
- Organize as you go.
Try to input events at end of the day. (This helps your subconscious think during downtime)
Create 2 Columns
|DATE| , |EVENT| (Optionally add Outcome, but more on this in another post)
What Does this look like?
Analysis of your timeline can be performed with a variety of timeline analysis tools. What you want to seek will be what is normal or abnormal, what can you infer?
Sometimes clues and truths in an investigation are evident, but you can’t see the truth until it is visualized or put in sequential order. In a prior insider case, as a team we had identified strange discussion between employees where the context seemed missing. During analysis, the content of the messages had been looked over because of the extreme benign nature of the message. Only after closer review within a sequence of events (and after a year+) did we see the benign messaging in place had zero context other than to act as a signaling method for the insiders engaging in acts of espionage.
Analysis of sequential events through a visualized timeline enabled us insights that we had looked past a hundred times. Only when we pushed for context did we observe the pattern.
With extensive experience in defensive and offensive security, Daniel has been a quiet trailblazer in digital intel-gathering long before cyber intelligence became a discipline. More than a decade ago he was inventing and applying his own intelligence tools in support of companies and governments around the world facing urgent threats. Using this deep understanding of web technologies and the behaviors of cybercriminals, he has enhanced, updated and packaged these tools under ShadowDragon.
Daniel is a member of the Odonata Holdings, Inc.