twjolson wrote:
For timelines, I use log2timeline (already part of SIFT), or 4n6time, which is new but quite capable from the little I have played with it.
You're correct, log2timeline is quite capable, but you also have to be aware of what it does not provide, as well. Relying solely on log2timeline, you could be missing critical pieces of information (Jump Lists, Java *.idx contents, specific Registry data, etc.).
twjolson wrote:
Since you already have a suspicion that it is Firefox, I wouldn't bother with a timeline yet. I would take a test VM, do various tests with Firefox, and see if you can create analogous files on your own. Why waste the step of making a timeline if you may already have the answer?"Waste the step"?
Creating a timeline is very easy, and requires MUCH less effort than would be required to set up a VM and then work through various scenarios in a trial-and-error fashion, in an attempt to recreate/replicate the files in question.
"Do various tests" sounds little open-ended, while "create at timeline" is much more definitive.
↧