Damon Hacker, Vestige President, is presenting to the SAME Mt. Tacoma Post & engineering students at the University of Washington-Tacoma on April 9.

Building a Timeline of Activity

Articles

Building a Timeline of Activity

Author photo
Vestige Digital Investigations, President, CEO and Founder
MBA, CISA, CSXF, CMMC-RP

Building a timeline of activity by looking at the digital evidence is one area where we’ve been called upon for by clients. Often not sure quite what they’re looking for, but they have this idea. Admittedly, enumerating all of the uses for digital evidence in every conceivable case type is next to impossible.  We live and breathe this stuff 24x7x365 and yet once in a while we run across something that no one has ever asked about in the past.  When that call comes in, that’s when our team swings into motion and starts brain-storming about how to creatively solve the issue.

Your Very Own Time & Motion Study

I have often half-jokingly said that I can piece my life back together using only my digital devices.  Half-jokingly because too many times to count I have had to piece something back together in my life and my natural inclination is to turn to these devices.  Say for instance, I need to recreate what it was that I did this past week.  A review of my calendar will give me an aggregate picture of what I was scheduled to do, perhaps what calls I had to make, what activities I engaged in, which meetings were attended and much more.  But that’s not granular enough…no, I mean I want to piece it back down not just to the day or even hour, I want to look at my life down as far as minutes.  What to do?  As someone that sends, receives and processes more than 250 e-mails a day, I have found that e-mail makes a wonderful record of what I was doing.  And let’s say that I have one of those odd lulls in activity where 30 minutes ticks by without sending or responding to e-mail, looking at the e-mail activity is typically a very good indicator as to what may have led up to that gap and of course what was going on right after — enough to spark a memory as to exactly what phone call I was on, what project I happened to be working on or what interruption I attended to.  And while e-mail is a good review, there are still a number of other sources that I can easily review to corroborate my recollections.  Perhaps it’s looking at the cell phone records (both phone calls and text messages).  Wham…another 4 or 5 events that I can use to fill in the missing pieces.  A quick check on the transactions from my debit card…Bam!  And it hits me, oh yeah, I totally forgot that I went to that store that evening, or ah-ha, forgot that we went out to lunch on that day — that’s where that missing time for that day went.

And the list goes on…I can look at the computer and see what documents I most recently was using, I can turn to Internet History and be reminded not only of the sites I visited that day, but the searches I conducted, the links I followed and the entire scavenger hunt that I found myself on researching this project or writing that article, preparing for a presentation or the myriad tasks that seem to crop up day-in and day-out.  I punch into LinkedIn or FaceBook and am reminded about the two leads that came in and the subsequent phone calls that I made.  And I haven’t even looked at GPS or some of the new personal activity trackers such as FitBit or Nike FuelBand!

The point is that digital evidence is around us everywhere and at any moment it is capturing information about just what it is that we’re doing.  Some of this digital forensic evidence is direct — an e-mail with a timestamp — okay, I know exactly what I was doing at that point in time!  But some of it is indirect; just a little nudge from the tangible world to pull that memory out of my subconscious to remind me of exactly what it was that I was doing.

All of these sources make for a very interesting story when the sources of temporal data are identified, captured and analyzed.  The good news is that if you have the need to understand an individual’s activities throughout a day, week, month or longer, turning to the digital evidence just may give you what you’re looking for.

Life’s Virtual Punch Clock

As Digital Forensic Experts, we have access to even more temporal data than just these sources that I’ve described above.  Not only does digital evidence capture these “usual suspects” when it comes to temporal data, but these devices create even more information and oftentimes even more granular than by-the-minute — just in case you had the need to know what you were doing down to the nanosecond.

Two of my favorite digital investigation cases in this area both dealt with organizations that did not have a mechanism for capturing employee’s “time on the clock” but found themselves staring at the wrong-end of a wage-labor lawsuit when they recognized that they had a need for knowing that information and desperately wishing that they had a time clock in place. In both situations the suits alleged that the organizations were improperly classifying employees as exempt.

In the first matter, we were able to capture a wide range of temporal data from dozens of digital devices to establish a pattern of what activity occurred during the day, when that activity began on each employees computer (and as a proxy to the start of their day), when that activity ended and everything in between.  By reviewing not only the data on the individuals’ computers, but also event logs, audit trails and digital artifacts, we were able to piece together very specific and precise timelines of the activity.  We were even able to show what activity was occurring while the employee was on-site as opposed to what activity was carried out remotely when the employee “dialed in” during the evening or in some cases prior to coming into the office.  We were able to take that raw data, analyze it and even perform statistical analysis to show the client exactly what the work day looked like on a individual-by-individual basis, compare it with peers and other groups within the organization and provide meaning and actionable intelligence that the client could use both for the law suit but also future planning and policy adoption.

The second matter was, in my opinion, just a fun project and showed the true power of thinking outside the box and finding that unique source of digital evidence.  Similar to the previous matter, this was an organization that did not have a time clock because of the belief that the effected employees were exempt.  This case came to us from the hospitality industry and involved individuals that were required to be in company-provided uniforms.  This company had invested in an automated garment dispensary system that, in essence, functioned as a check-in/check-out locker room.  Upon arriving to work on their shift, the employee would approach this system, swipe their employee badge and enter their PIN on a touchpad.  Similar to one of those automated racks in a dry cleaner, the system would retrieve a “locker” containing the employee’s personal uniform.  They would remove the uniform from the locker, place their street clothes and other personal belongings into the locker, lock it up and return it to the carousel to return and repeat the entire process in reverse at the end of their shift.  The beauty, of course, is that being a technological endeavor in and of itself, this system kept a log of every garment’s check-in/check-out activity, complete with date and time stamps.  The client came to us because while the system had this great capability, unfortunately only kept 30 days worth of records.  This matter stretched back 3 or more years.  Vestige’s knowledge of filesystems and operating systems allowed us to delve in, examine the workings of the device, determine how the data was stored, etc.  This analysis led to the design of a custom routine that went through the entire hard-drive and identified and recovered nearly 1 million previously lost/deleted transactions, where a transaction represented the check-in or check-out of any of these garments, complete with proof that it was the individual employee (swipe card and PIN) and the essential date and time stamp.

In Conclusion

Digital Devices everywhere contain artifacts, information and evidence that capture date, time and other relevant information.  If you have a need to understand when something occurred (specific date/time) OR have a need to understand the chronological order of when events occurred (and don’t necessarily have or need to know the specific date/time), a Digital Forensic analysis may get you exactly what you need.

By Damon S. Hacker, MBA, CCE, CISA,
President & CEO at Vestige Digital Investigations