Timestamps and synchronization: a devil problem. Can hindsight help? #177
Description
First of all, thanks for the job!
Sorry by my english
My issue is not a technichal problem, but it's maybe an "user manual" question:
I execute successfully under my debian bookworm the command
hindsight.py
and extract the .xlsx successfully...
Sorry, but could you explain a little the meaning of this timestamps?
First of all in "timeline" sheet
login (saved credentials) 2021-12-15 18:52:29.020 ---> when the user save his credentials, while he is logging?
login (username) 2021-12-15 19:00:46.286 --->
autofill 2024-04-29 15:52:02.000 ---> When the user access with saved credentials filled without having to typing it?
And then, this one in "Preferences(Default)" sheet:
I suppose is about syncronizing settings
| Sync Settings | |||
|---|---|---|---|
| last_poll_time | 2024-04-29 16:07:40.734 | ---> Is the moment the system check if the sync is active? | |
| last_synced_time | 2024-04-29 16:35:04.251 | ---> Is it the moment user activate the syncronization? | |
| cache_guid | dgO5XWd168LsBL6CqjBEkg== | ||
| gaia_id | 107828233399540891040 | ||
| has_setup_completed | 1 |
I have a forensic problem at job(in a public highschool in Spain). An access with "unauthorized" saved credentials has been seen in a device. The accused person denies she has been there, in that device. She never tried to access on that device. But the owner of the device say yes.
I think the credentials were saved in that account some months ago; because the account belonged to the accused person... and the credentials appeared when the syncronization was actived.
How can i discern if the access were saved some months ago and there was a recent synchronization active or if the access was typed by somebody ?
Could only hindsight help me in this question?
Thanks for the attention
Congratulations for the job!