First of all, thanks for the job!
Sorry by my english
My issue is not a technichal problem, but it's maybe an "user manual" question:
I execute successfully under my debian bookworm the command
hindsight.py
and extract the .xlsx successfully...
Sorry, but could you explain a little the meaning of this timestamps?
First of all in "timeline" sheet
login (saved credentials) 2021-12-15 18:52:29.020 ---> when the user save his credentials, while he is logging?
login (username) 2021-12-15 19:00:46.286 --->
autofill 2024-04-29 15:52:02.000 ---> When the user access with saved credentials filled without having to typing it?
And then, this one in "Preferences(Default)" sheet:
I suppose is about syncronizing settings
Sync Settings
last_poll_time
2024-04-29 16:07:40.734
---> Is the moment the system check if the sync is active?
last_synced_time
2024-04-29 16:35:04.251
---> Is it the moment user activate the syncronization?
cache_guid
dgO5XWd168LsBL6CqjBEkg==
gaia_id
107828233399540891040
has_setup_completed
1
I have a forensic problem at job(in a public highschool in Spain). An access with "unauthorized" saved credentials has been seen in a device. The accused person denies she has been there, in that device. She never tried to access on that device. But the owner of the device say yes.
I think the credentials were saved in that account some months ago; because the account belonged to the accused person... and the credentials appeared when the syncronization was actived.
How can i discern if the access were saved some months ago and there was a recent synchronization active or if the access was typed by somebody ?
Could only hindsight help me in this question?
Thanks for the attention
Congratulations for the job!
First of all, thanks for the job! Sorry by my english My issue is not a technichal problem, but it's maybe an "user manual" question:
I execute successfully under my debian bookworm the command hindsight.py
and extract the .xlsx successfully...
Sorry, but could you explain a little the meaning of this timestamps? First of all in "timeline" sheet
login (saved credentials) 2021-12-15 18:52:29.020 ---> when the user save his credentials, while he is logging? login (username) 2021-12-15 19:00:46.286 ---> autofill 2024-04-29 15:52:02.000 ---> When the user access with saved credentials filled without having to typing it?
And then, this one in "Preferences(Default)" sheet: I suppose is about syncronizing settings
I have a forensic problem at job(in a public highschool in Spain). An access with "unauthorized" saved credentials has been seen in a device. The accused person denies she has been there, in that device. She never tried to access on that device. But the owner of the device say yes. I think the credentials were saved in that account some months ago; because the account belonged to the accused person... and the credentials appeared when the syncronization was actived.
How can i discern if the access were saved some months ago and there was a recent synchronization active or if the access was typed by somebody ?
Could only hindsight help me in this question?
Thanks for the attention Congratulations for the job!