Visual correlation of suspects actions and illegal activities

[lfcnassif]

For those who don't know, it is possible to break the timeline chart into 2 or more charts, by selecting 2 or more bookmarks in the bookmarks panel, when viewing the timeline chart. It could be used to stablish correlations between 2 or more sets of events, freely defined by the user, putting each event set of interest in a separate bookmark.

For example, in a CSAM investigation case, when 2 suspects use the same user account in the same computer and you are not sure about who is the author of the illegal actions, you could put user activities (like sent emails or messages in social media, website logins) of suspect 1 in one bookmark, activities of suspect 2 in a second bookmark and the illegal activities (like CSAM files MAC times) in a third bookmark. Selecting those 3 bookmarks and switching to the timeline chart view may give you something like the picture below:

Above we can see that the illegal events (middle chart) are aligned/correlated with the suspect 2 actions, while they are not correlated with suspect 1 generated user events. That is just an example, but I hope that could be useful.