Timeline analysis
During the investigation, you may find artifacts that appear to show the guilt (or innocence) of the accused. We cannot construe the mere presence of the artifact as a sign of the suspect's guilt (or innocence). The artifact needs to be placed within the context of the user and system activity.
For example, I was brought in as a consultant on a case that was being brought to trial; they accused the suspect of physically abusing another person. One piece of evidence that was considered against the suspect was the high number of Google searches about how to treat an injury. They attributed the searches to the accused, who was the father. The hardest piece of evidence to prove is the identity of the user behind the keyboard when the contested actions occurred. Since the items were present in the internet history (we will go into much greater detail in Chapter 9, Internet Artifacts), I wanted to check the context of when the searches were made...