Re: [sleuthkit-users] Timeline Survey Question
Brought to you by:
carrier
Menu
▾
▴
Re: [sleuthkit-users] Timeline Survey Question
|
From: Derrick K. <dk...@gm...> - 2015-08-19 14:56:50
|
I can see applications and different preferences for both! Is having both visualization options an option? With the multiple cluster view I like being able to scan vertically and only see events which had hits in that time frame. That said, my preference would be to only colour the matching event in that time frame and leave the rest of the event type name white. With the single cluster view I like that I don't have to hunt around to see multiple events. If I want to see just facebook.com events, they are all there in a single event. Even though I think this view will take up a lot more vertical space I also like how the events are grouped. ie. All NTFS $* are grouped horizontally which I think makes ignoring specific events easier. Again, I'm not a fan of the colours and would like to see it be coloured (event hit) and white (non-hit) both for viewing purposes (colour blind people) and printing purposes (disclosure). As an aside, Is either view significantly faster to render? Derrick On Mon, Aug 17, 2015 at 5:06 PM, Alex Nelson <ajn...@cs...> wrote: > They’re interesting visualizations. The examples may be better with some examples of longer names (/deeper hierarchies/longer URLs) to get a better feel of cuts taken for horizontal clutter. > > —Alex > > >> On Aug 17, 2015, at 18:38 , Brian Carrier <ca...@sl...> wrote: >> >> We’re reviewing some changes to the timeline module and wanted some feedback. >> >> Background: In the “details” view, we currently cluster together events if they happen close to each other. But, once there is a gap in events in a certain folder (or URL), then we break the cluster in the UI. This means that you could have clusters for the same folder (Program Files in the below example) that span multiple clusters. Notice in this image below, there are three “Program Files” clusters (two in the top row and one in the fifth row). The motivation for this was that it would be useful to know that there was a gap in between the clusters of events. >> >> >> >> <events_current.png> >> >> >> We are looking at an alternative, which is to have a single cluster for the entire view (regardless of it there is a gap). This means that even if there are only events at left of the screen and right then it would be a solid band. It would look something like this: >> >> <events_spans.png> >> >> >> The benefit of this would be that it would be obvious of all of the events in the given description (folder name, for example) and we would waste less space rewriting the name so often. It comes at the potential downside though that it may take more vertical space because we could have lots of sparse bands. >> >> Opinions? >> >> >> ------------------------------------------------------------------------------ >> _______________________________________________ >> sleuthkit-users mailing list >> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users >> http://www.sleuthkit.org > > > ------------------------------------------------------------------------------ > > _______________________________________________ > sleuthkit-users mailing list > https://lists.sourceforge.net/lists/listinfo/sleuthkit-users > http://www.sleuthkit.org > |
