Timeline is an aggregated section of Oxygen Forensic® Detective where all extracted data is displayed in chronological order. Timelines can be created for a device or case and usually contain valuable insights about calls, web activity, web connections, photos, videos, calendar events, chats within apps, and more.
Here are ten ways investigators can utilize Timeline:
1. Filter entries by source. Do this by expanding the Accounts filter and selecting accounts of interest to view the related data. Investigators can do the same with contacts and groups. Alternatively, uncheck irrelevant accounts, contacts, and groups to hide the entries related to them. Expand the list of sources to view all the data sources within the extraction. Additionally, investigators can filter the displayed entries by using the checkboxes.
2. Use tabs above the grid to view specific records. Switch between messages, calls, files, web activity, and geolocations with one click. The grid will adjust instantly.
3. Export data directly from the Timeline. Investigators can export all data or choose to extract only chats or geolocations. Click on the arrow next to the “Export” button to view all available options.
4. Select how much data to display in the grid. Click the “View” button to set whether Tags, Thumbnails, Duplicates, or Charts will be displayed in the main grid.
5. Learn more about the entry of interest. Select it in the grid and view its metadata in the right sidebar. There, users can add tags, notes, and Key Evidence marks. Users can also access photos, videos and listen to audios.
6. View checked locations on OxyMaps. Hit the “Maps” button above the grid. Note that all records are checked by default. To hide irrelevant records, deselect them. Learn more about the capabilities of our Maps section here.
7. Use Smart Filters. This feature is designed for making investigations more insightful, aiding them in many ways. The following Smart Filters are available:
- Show all messages from contacts who have mentioned [enter word/phrase]
- Show messages from all the contacts, including group members, who have mentioned [enter word/phrase]
- Show all messages from contacts who shared geodata
- Show events that happened before and after Key Evidence
- Show events within the timeframe that happened before and after Key Evidence
- Show events that happened before and after the events with geo-coordinates
- Show events within the timeframe that happened before and after the events with geo-coordinates.
Read more in our recent blog on Smart Filters.
8. Adjust the time filter from the bottom panel. Select whether records will be grouped by year, month, or day and set the time range either by using the calendar at the top of the panel or by manually shifting the highlighted area.
9. View the Activity Matrix by switching to the second tab of the bottom panel. This feature helps detect when the device was most used, sorting information by hours and weekdays. Every hour of the day is displayed as a rectangle with the number of events written inside.
Each rectangle is highlighted in a color that correlates to the frequency of events in that rectangle: green stands for low activity, yellow for moderate, pale orange for high, and red for extreme. In the total row, the total number of events per hour is displayed. In the total column, the total number of events per each weekday is displayed. If there are no events at a certain hour of the week, the cell will be empty.
Use Activity matrix to:
- View activity within a specific hour
- View activity within multiple hours
- View activity within specific hours or weekdays
- View activity within a preset time frame
- View activity within specific applications
10. Go to the third tab to view the Activity Chart. This analytical feature displays user activity in set timeframes (years, months, etc.) Every event type corresponds to a specific color of the chart column: calls are shown in green, messages are marked with yellow, and other events are shown in red.
The entire chart scale is divided into equal time intervals: 1 year, 1 month, 1 hour, 1 minute, or 1 second. Intervals can be set to the right of the label titled, “Group by”. For each time interval, a column filled with the color corresponding to the event type will be displayed. If there are multiple event types, multiple columns will be displayed.
The height of the chart column depends, nonlinearly, on the number of events that occurred within the selected time interval. If there were no events during a certain time interval, this interval is not displayed on the chart.
When hovering over the selected interval under the column, the chart will indicate the number of timeline events for this time interval. Likewise, hovering over the column of interest will display the number of events of a certain type in the selected time interval.
We hope this post has been helpful in understanding the capabilities of our Timeline section. Share your experience with us. Positive feedback keeps us moving, while negative feedback helps us make our software even better!
Don’t have Oxygen Forensic® Detective yet? Learn how to get a free demo license here.