Timelines In Investigations

A Brief History And Their Importance In The Context Of Litigation

Timelines depicting historical facts have been part of our makeup as a society since as early as the fourth century when the Roman Christian scholar Eusebius developed a sophisticated table structure in order to organize and reconcile chronologies drawn from historical sources from around the world.1

With the advent of big data combined with the powerful graphical tools of the web, timelines have since evolved into amazing storytelling tools. Today’s technologies have empowered the digital age of time transformation, yielding a plethora of timeline software and timeline rendering technology. You can find timelines based on a single-axis scrolling of chronological events to complex maps with animated zooming and panning. 

Innovations in web-based technology now power advanced timeline creation with popups, embedded video and images, and links to additional facts and details enabling people to explore everything from the life of Nelson Mandela to the How the Islamic State is carving out a new country. These timelines encompass what what would be hundreds if not potentially thousands of pages of printed text and graphics, bringing stories to life like never before. 

Telling stories using timelines in the litigation industry is no different. Timelines can be powerful tools when demonstrating a series of connected events, which can be invaluable to an investigation. TechLaw highlighted several tools over a decade ago, and a multitude of industry research papers emphasize how important time-lining is to computerized investigations.

Timestamps can be obtained from file system metadata, system logs, or application data. Depending on the source of the events, this can provide a detailed sequence of the events that took place on a system (or multiple ones), allowing an investigator to reconstruct the sequence of events that took place.

What makes these timelines possible is the enormous amount of computerized metadata available to computer forensic investigators. Florian Buchholz and Brett Tjaden published a paper in 2007 entitled “A brief study of time”, which notes that, "Timestamps can be obtained from file system metadata, system logs, or application data. Depending on the source of the events, this can provide a detailed sequence of the events that took place on a system (or multiple ones), allowing an investigator to reconstruct the sequence of events that took place."

Since their paper, the file system metadata to which Buchholz and Tjaden reference has since expanded at an exponential pace, and the number of data points that contain a timestamp extend to everything we do in our digital world. Early investigations focused on email and user files, such as spreadsheets and word processing documents. However, today’s mobile technology has us blazing a timestamp trail that includes documenting our every move on a map to when we last posted to our favorite social media platform. Each of these items can become a relevant piece of information to an investigation. 

In order to tackle today’s big data explosion over the past decades, innovative forensic tools like Log2Timeline (aka Super Timeline) and Plaso emerged enabling forensic investigators to normalize and build timelines from timestamp metadata extracted from a multitude computer artifacts. The caveat being that these tools introduce a complexity to computerized investigations that many a layperson would be confounded to unravel without having some sort of computer background or programming knowledge.

However, this holds true with any technology, as each new data source may introduce some sort of adverse complexity when creating a timeline. Many of the applications we we use on our computers or smartphones may record time differently. Some may use coordinated universal time (UTC) or record the time using the device’s time zone settings. Therefore, it is important that timelines be normalized. Quoting a article documenting important tips for case chronologies, Samantha Gwinn, a former FBI investigator, notes that one should “always express date and time using the local time zone in which the event occurred.”

Fortunately, with today’s computer code, normalizing time is a fairly straightforward process. Many computer languages have built-in date and time functions that allow for quick conversion of a timestamp from one time zone to another. Many of the websites you visit today use this technology to display timestamps so that they are relative to your current locality’s time zone. 

Leveraging the metadata extracted from the wide variety of computerized sources coupled with today’s computer coding and timeline technologies, ESI Analyst is able to simplify building your investigative timelines. Thereby allowing for a seamless timeline of events to be built demonstrating case facts quickly and effectively, normalized to a singular timezone for clear and concise case demonstratives. 

Arrange a demonstration today so that ESI Analyst can empower your investigative team to Communicate, Collaborate and Advocate effectively.

1 Cartographies of Time: A History of the Timeline. 2010. ISBN: 978-1616890582

Image: Haeckel 1879, p. 189, Plate XV: "Pedigree of Man"



Discover the next wave of eDiscovery Innovation

CloudNine has acquired ESI Analyst and are looking forward to working with you.

Contact the CloudNine team today:


Click here to request a demo of CloudNine’s ESI Analyst

© 2018 – 2023 ~ Tidal Change Technologies, Inc. ~ All rights reserved