Time-lining computer evidence

In the investigation of a criminal case involving a computer or computers, the time-line of “computer events” may provide a critical piece of information relating to the prosecution of involved persons. This information can help to pinpoint the location of certain individuals, can assist with the determination of alibis, can undercover conversations and correspondences, and can possibly help to ultimately determine the guilt or innocence of those facing criminal charges. The following computer events or evidence may provide direct clues to not only the means, but also the motive, of a criminal act: contents or update time of electronic documents and files; time and content of e-mail communications and messages; information about system logon and logoff events; indications of access to specific Internet documents or sites; contents of communication with known individuals in chat rooms or other collaborative means; evidence of document destruction or hiding; knowledge of the forwarding of messages to external devices such as pagers, voice mail accounts or fax machines. Extracting this information from computer systems, network infrastructures, backup media, or peripheral devices is a time consuming and tedious process. It can prove, however, to be a worthwhile endeavor. The paper describes a process to not only identify and extract this information, but to correlate it into a time-line with external events such as phone records, witness testimony, and physical evidence. This time-line can become an integral part of the historical road map that provides detailed information pertinent to an investigation