Link Analysis & Timeline Analysis in Digital Forensics Investigation

MailXaminer | May 4th, 2020 | Forensics

In this article, we are going to discuss the topics Link Analysis in Digital Forensics and Timeline Analysis in Digital Forensics. These are two important features that help in criminal investigation to find the existing relationship and communication between the users within a period of time.

What are Link Analysis and its Feature?

Link analysis is a data analysis technique used to examine the connection between any type of objects such as nodes, people, transactions, organizations, etc. The links between the objects may be physical, digital, or relational. It helps the investigators to visualize the data for better analysis of the context of links between people, or different entities.

Link analysis is often used in search engine optimization, security analysis, market, and medical research. In criminal investigations, investigators use link analysis software to perform the analysis process for digital forensic purposes.

Link Analysis in Digital Forensics

In digital forensics, link analysis means determining the relation or connection between the network nodes or users. It is mainly used in the investigation to track criminal activities. Link analysis helps the examiners to create the visual representation of communication between the people involved in that crime. The complexity of the link analysis depends on the number of links existing in the communication. Link analysis in criminal investigation helps the examiner to conclude quickly.

In the context of crime analysis, the link analysis in digital forensics process helps to analyze the huge set of email data. With the help of link analysis, the investigators try to find out the relationship between different senders and receivers in the particular scenario.

Link analysis and timeline analysis in digital forensics are performed by the examiners to find the relationship between the node, people, transaction, and organizations within a time period. Try the Digital Forensic Software offered by MailXaminer which provide both these features on the same platform. With this automated solution, forensic investigator/examiner can investigate email frauds along with other email-related crimes. To use this feature, follow the section given below.

Using Link Analysis Feature with MailXaminer

In this section, we will see how to find out the relationship between users via the link analysis with the help of MailXaminer, advanced software with specialized features.

Step 1: Search Option
Click on the “Search” option in the MailXaminer and enter a specific keyword to find out all the emails related to that particular keyword.

Search Link Analysis

Step 2: Open Link Analysis
From the top right pane click on the “Analytics” option and select the “Link Analysis” option to perform link analysis in a criminal investigation.


Step 3: Select Email Address
Tick mark on the box of required email addresses obtained from the keyword search and then click on the “Generate” button to find the existing relationship between selected email addresses.

MailXaminer also provides the option of “Date Filter” so that an examiner can find the emails of a particular date range.

Generate Link Analysis

Step 4: View Relationship between Users
The forensics tool displays the relationship between the selected mail addresses through graphical representation. It also shows Mails, Calls, Chats, SMS details through which they are related. In a particular graphical representation of links, users can click on Mails, Calls, Chats, SMS icons to find out the details accordingly.

Mail, Calls, Chats, SMS

Step 5: View Related Emails
This link analysis software feature also provides the option to view the related email conversation between the selected email users.

Link Analysis Process

Step 6: Exporting Related Emails
Click the “Export” option to export the selected email data into various file formats. This will allow the examiner to save the link analysis result. The tool also provides the option to select a specific email and to export it.

Export Option for Link & Timeline Analysis in Digital Forensics

Step 7: Export Options
In the Export option, MailXaminer provides an option to export data into various file formats like PDF, PST, MSG, HTML, etc.


Step 8: Export Settings
From the Export settings, users can set additional settings by clicking on “a Change”. The additional setting allows the user to modify settings according to their requirement. General settings give options that help to Maintain Folder Hierarchy, Exclude Duplicates, Export as Source, etc. Other tabs are also available to change the export file settings such as PDF (or other selected formats) Settings, Naming Conventions, CSV Header.

A Change Option

Use of Timeline Analysis in Digital Investigation

The word timeline indicates displaying a list of events in a particular order. Timeline analysis is mainly used for various purposes in the investigation which mainly involves collecting information within a particular time frame. It is a great technique to determine the activity occurred on a system at a certain time. It helps to make inferences very fast in an easy manner.

Normal timeline analysis for computer forensic investigation can be performed on different types of contexts like text timeline, number timeline, graphical timeline, etc. Each timeline model provides different views of the data accordingly. Through the timeline analysis, an analyst can easily find out when a particular event or transaction happened. It also helps to figure out the other events which took place during the same time interval along with their interconnection to one another.

Timeline Analysis in Digital Forensics Investigation

Timeline analysis in computer forensics is mainly used for investigation purposes to answer the questions related to date and time. This process proves to be very helpful in the case of having a lot of information related to the particular event. Timeline analysis representation in the graphical form is very useful in digital forensic to determine when the event or transaction occurs.

Timeline analysis in digital forensics gives clear information through the specific year, month, and date views. The main purpose of using timeline analysis for investigation is to obtain the graphical view of the transaction. Hence, it makes it easy for the examiners to evaluate and make decisions based on timeline analysis.

Timeline Analysis Feature In MailXaminer

Using timeline analysis software feature, forensic investigator or examiner can view email conversation details between Sender & Receiver according to specific Year, Month, and Date.

Step 1: Open Timeline Analysis
Choose “Timeline Analysis” from the MailXaminer “Analytics” option from the top right corner of the dashboard to perform timeline analysis for investigation.

Timeline Analysis in Digital Forensics

Step 2: Examine Email Details Year Wise
This timeline analysis tool provides you the option for viewing emails according to the specific year. It also provides information regarding the type of data that has been extracted, for example, Mails, Deleted Mails, Attachments, Chats, Calls, SMS, etc.

Timeline Analysis

Step 3: Preview Email Data Month wise
It also provides a graphical representation of the information of communication that took place during a particular month of a particular year.

Preview Email Data

Step 4: Inspect Emails According to Date
This timeline analysis tool not only gives you the view of monthly and yearly communication it also provides the communication details during the specific date. It will also provide information regarding communication on a particular day of a specific month.

Inspect Timeline Analysis in Digital Forensics

Step 5: Customizing Items
Click on the “Setting Gear” icon to customize the data items according to the choice.

Setting Gear

Step 6: Select Colour
To change the custom color option of the different sections such as Emails, Attachments, Chats, SMS, etc. Click on “Item Colour Setting”. It will help to differentiate between Mail, Chat, Call, etc. from the graph and help in fast timeline analysis in Forensics.

Item Color Setting

Step 7: View Related Emails
After the timeline analysis process, the forensic tool allows the user to view the email data based on time. Right-click on the timeline bar from which you want to view the email data and click on the option “View Selected Items” and you will get the list of emails exchanged in that particular time period.

View Selected Items

Now, preview the resultant email data with its meta-data. The tool will display the meta-data such as Subject, From, To, Sent, Received, MD5, Size, etc. as a summary of the email data without opening the complete email message.

Step 8: Export Timeline Analysis Result
The timeline analysis process also provides the option to export data into various file formats like PDF, PST, MSG, HTML, etc. Similar to the link analysis software features. It helps to save and refer to the collected information in the various stages of analysis.

Export Timeline Analysis in Digital Forensics

Step 9: Printing Result
Through the printing option provided by the analysis tool, an examiner can easily generate the hard copy of the timeline analysis artifacts to submit in the court. Mostly these reports are generated in PDF file format.

Print Timeline Analysis in Digital Forensics


Link analysis in digital forensics is the process of finding a connection or relationship between network nodes or users. And, timeline analysis in digital forensics is performed to obtain the processed information at a particular period. MailXaminer is a digital forensic tool which provides both the features at a single platform that will help the investigators to visualize and obtain the information promptly. It also helps to create an effective report using the obtained information.