Artifact, Manual Review, and Timeline Guide
Artifact, Manual Review, and Timeline Guide#
AI analysis is the fast starting point. Artifact viewer, manual review, and timeline analysis are the verification tools that help you inspect source context and reconstruct what happened.
Role of Each Surface#
| Feature | Role | What to Check |
|---|---|---|
| Artifact Viewer | Browse parsed evidence by type | Original path, time, user, hash, metadata |
| Manual Review | Search and filter evidence directly | Specific time window, file, artifact type |
| Timeline Analysis | Connect events chronologically | Execution, access, connection, deletion, upload order |
| AI Analysis | Search evidence and generate natural-language answers | Summary, correlation, next investigation direction |
Recommended Workflow#
- Ask a broad AI question to find suspicious areas.
- Open cited evidence in the artifact viewer.
- Search nearby user, file, and time context in manual review.
- Reconstruct before-and-after activity in the timeline.
- Include only verified evidence in reports and label inference separately.
Timeline Review Points#
- Activity concentrated outside normal hours
- File access or archive creation after USB connection
- Privilege changes or remote login after account creation
- Autorun registration or outbound network activity after suspicious execution
- Deletion events followed by log gaps or cleanup traces
Manual Review Filter Examples#
| Investigation Goal | Filter Ideas |
|---|---|
| USB exfiltration | USB, Shellbags, RecentDocs, LNK, file access times |
| Malware execution | Prefetch, AmCache, Shimcache, EventLog, autoruns |
| Account compromise | Logon events, account changes, remote access, privilege changes |
| Cloud leakage | Browser history, downloads, cache, sync logs, archives |
| AI usage traces | Browser AI services, coding tools, project changes, downloaded files |
Practical Tips#
- Use timeline for ordering, not final judgment alone.
- Use manual review when AI found a lead but you need exact fields.
- Lower confidence if path, user, or time context does not match.
- Confidence improves when multiple artifact types point to the same time and action.
Next Steps#
Continue in the service
Move from this guide into a sample workflow or the relevant upload surface. Upload real evidence only when you have lawful authority.