Timeline

The Timeline window in Belkasoft X presents a unified chronological view of artifact timestamps extracted from file system records, documents, chats, emails, browser activities, system events, mobile app interactions, and other sources. Each timestamp corresponds to a timeline event.

Since some artifacts may include more than one timestamp, the number of timeline events is typically bigger than the number of artifacts in the case. For instance, a file-based artifact (like a document) has various operating system times, such as the Created time or the Last access time. Artifacts with metadata (like a picture) may also have multiple recorded events, such as GPS time for shot or Date/time digitized.

The Timeline helps retrace all events that occurred in the specified periods on one or more devices, facilitating the analysis of the sequences and patterns in user and system activity.

Timeline window

To access the Timeline window, from the main menu, select Timeline. The window includes several sections:

Main timeline: Graphical view of event volume over time.
Mini-timeline: The full date range with a selection overlay.
Events view: Filterable and sortable list of all events.
Tools pane: Raw data viewers.
Properties pane: Details of the artifact associated with the selected event.

The Timeline window in Belkasoft X with interface sections highlighted and annotated

Timezone settings and timestamps

The graphical timeline displays the events based on the UTC timestamp, while the Events view presents the timestamps in two columns:

Time (UTC): Artifacts' original timestamps.
Time (local): Timestamps calculated by Belkasoft X based on the case or data source timezone settings. Local time is helpful for contextual understanding of events. In some cases

Timezone settings for local timestamps can be configured on the Dashboard. Two levels of settings are available:

Case-level timezone: The Timezone setting in the Case properties section defines the timezone for the entire case. It is recommended to use the original time zone of the data source rather than your local time zone for this setting.
Data source-level time zone: The Timezone property in the data source panes specifies the timezone for specific data sources (for example, if they originate from different timezones).

Belkasoft X's Dashboard with highlighted timezone setting fields

Navigating the Timeline

The Timeline window provides various filtering options to isolate relevant events:

Selecting date ranges: Use the main timeline graph to select a specific date range by clicking and dragging visually. The mini-timeline at the bottom will reflect the selection and can also be used to adjust the range in view.

The Timeline graph views displaying the event volume over the selected period

Advanced date and time filtering: Click the funnel icon in the Time (UTC) or Time (Local) column headers within the Events view. The Advanced date options dialog provides granular settings based on specific dates, time ranges within a day, or days of the week. This feature is useful for analyzing patterns of activity or identifying events that occurred during very short periods.

The Advanced date options window allowing filtering events by specific time ranges and days of the week

Filtering by categories and types: The Events view allows you to filter the displayed events by various criteria, including artifact categories (such as Chats, Mails, Browsers), specific item types, and event types (for example, creation time, access time).
Filtering by origin and data source: Refine the timeline view based on the origin of the data or the specific data source it came from.

Bookmarking a Timeline event

Bookmarking a timeline event in Belkasoft X automatically bookmarks its associated original artifact records, located within their respective artifact categories (e.g., Messages, Browsers). This linking allows a single bookmarked timeline event to label multiple related artifacts.

Screenshots demonstrating how Belkasoft X creates bookmarks for timeline events and their source artifacts