Extend Chain Analyzer to Correlate Across Multiple Timelines with Defined Data Types

[jkppr]

Currently, the chain analyzer operates on a single timeline at a time. This can be limiting when evidence is organized into separate timelines based on data types (e.g., for better visualization).

This feature request proposes extending the chain analyzer's functionality to allow correlation with specific data types across multiple timelines. This would enhance the analyzer's ability to identify complex relationships in investigations where data is naturally spread across different timelines. For example: Correlation of files downloaded based on a Browser History timeline and a Disk Timeline.

Describe the solution you'd like

• Modify the chain analyzer to query events from specified data types across all relevant timelines within the sketch.

Describe alternatives you've considered

• A potential workaround is modifying the chain analyzer plugin to query across all timelines by setting timeline_id to None. However, a more integrated solution would be preferable for usability and maintainability.

Additional context

• Potential for Duplicates: Address the risk of duplicate chain events when correlating across timelines with overlapping data types.
• Performance Impact: Evaluate and optimize the performance impact of querying multiple timelines.
• Data Type Handling: Ensure robust handling of scenarios where data types are missing or inconsistently defined.