Adam, in Refine Volume Snapshot, in the options associated with "Extract internal metadata, browser history and events" are two checkboxes, as follows:
[ ] Provide file system level timestamps as events
[ ] Provide internal timestamps as events
Obviously, you would have to check those. Then, when Refine Volume Snapshot is finished, you can view the Events table by clicking the clock icon. This was a little confusing to me at first. The clock icon is just above the preview pane, to the right of the binoculars icon that toggles the view between a directory listing and search hits. Events works in a similar way and when selected, displays the events gathered during Refine Volume Snapshot. Once the Events list is displayed, you can sort, filter, and export.
The feature is a little buggy (e.g., the first few column headings in the exported text file are incorrect). It's also limited in terms of what events get identified, the details associated with them (e.g., the "Visited" event simply refers to Index.dat with no further details as to which URL was visted), the control over filtering (i.e., can't filter on Event Type and Category), and, as regards file system metadata, lacking precision beyond whole seconds. Nevertheless, it's a good start.
I've only been exploring it for a couple of hours, so it's possible I've missed a few things. YMMV.
↧