Re: [sleuthkit-users] Default Timeline Scaling
Brought to you by:
carrier
Menu
▾
▴
Re: [sleuthkit-users] Default Timeline Scaling
|
From: Simson G. <si...@ac...> - 2014-09-17 09:50:20
|
I'm sorry, I misread the question. In the past I've tried a split scale. Have a lower part of the scale that goes 1-1000, and a break, and then an upper part that goes 1000-1M. This gets you two linear regions. Allow the split to be dragged up and down to change where the split happens. In my experience people have a hard time understanding logarithmic scales. Another approach is to have a magnifying glass that you can use to evaluate the bottom of the graph. However, if you can only go between linear and log, then I go for log as well. On Sep 17, 2014, at 4:44 AM, Simson Garfinkel <si...@ac...> wrote: > Have a switch to allow either. > > Sent from my iPad > >> On Sep 15, 2014, at 4:47 PM, Brian Carrier <ca...@sl...> wrote: >> >> As many of you may know, we've been working on a new timeline viewer for Autopsy as part of a DHS S&T contract. It's got some really cool features and I'm looking for some feedback on default settings. One view has bar graphs to show "how many things occurred in a given time frame". The primary use case was to answer questions about knowing when and how often the system was used. There is another view that provides details. >> >> My question is if linear or logarithmic scale is better as a default. In the bar chart, there are differently colored sections for file system activity, web activity, and "other" activity. There will be more bars as we add more features. Linear allows you to compare the size of each bar, but it means that many bars are not visible. Logarithmic is not as intuitive for people, but it allows you to see more of the bars. Below is an example. The Linear view doesn't show any of the blue bars. As a reference on the final bar in the log scale, the red bar has 53,000 events, the green has 3,500, and the blue has 54. >> >> >> My vote is to have log scale be the default so that you can see that there is web activity even though there is far less than file system times, but I wanted to get feedback before we did that. Votes? >> >> >> <tl_lin.png><tl_log.png> >> ------------------------------------------------------------------------------ >> Want excitement? >> Manually upgrade your production database. >> When you want reliability, choose Perforce >> Perforce version control. Predictably reliable. >> http://pubads.g.doubleclick.net/gampad/clk?id=157508191&iu=/4140/ostg.clktrk >> _______________________________________________ >> sleuthkit-users mailing list >> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users >> http://www.sleuthkit.org > > ------------------------------------------------------------------------------ > Want excitement? > Manually upgrade your production database. > When you want reliability, choose Perforce > Perforce version control. Predictably reliable. > http://pubads.g.doubleclick.net/gampad/clk?id=157508191&iu=/4140/ostg.clktrk > _______________________________________________ > sleuthkit-users mailing list > https://lists.sourceforge.net/lists/listinfo/sleuthkit-users > http://www.sleuthkit.org |
