Protected content ahead.

Please reach out for access.

Overview

Jump to

KRISTY CHAN

about

kristychan.design@gmail.com

Google TimeSketch

Lead UX Researcher and Designer

2 months · 2025

AI investigation workflows for forensic analysts

AI investigation workflows for forensic analysts

AI Design / UX Research / Enterprise SaaS / Usability Testing

KRISTY CHAN

What is TimeSketch?

TimeSketch is Google's open-source platform for digital forensic investigations. Analysts use the platform to investigate security incidents, but the process is time-intensive. They spend hours manually combing through thousands of raw log events before forming a single conclusion.

The Opportunity

Google introduced an AI layer to change that: pre-processing the data and generating a draft investigation report so analysts validate findings rather than build from scratch. Before shipping, they needed to know whether analysts would trust it enough to use it in practice.

My role

I led the research and design for this engagement at DEPT, working with 10 forensic analysts over 2 months to validate the feature and surface the design changes needed to earn that trust.

Impact

80% confirmed product-market fit. The updated design shipped into Google Sec-Gemini.

Research

Running the research

I scoped the research engagement with the Google team, designing a moderated usability study structure and defining three questions that would determine whether the feature was ready to ship:

Three questions guided our focus:

  1. How do analysts perceive the AI feature?

  2. How would analysts use the AI feature?

  3. Does the design solve the problem and make their workflow more efficient?

Building the prototype

Before testing, I built a prototype using Google's existing design to help us understand how analysts would interact with four core AI-driven capabilities in a realistic scenario: investigating a suspected cryptocurrency miner attack on a virtual machine.

Investigation Report Page

AI-generated summary

An AI-generated summary at the top of each report instantly gives analysts a clear overview of the incident.

AI-suggested investigative questions

A list of AI-generated questions gives analysts a starting point instead of a blank page. Each question can be reviewed, edited, or removed.

AI-generated summary

AI-suggested investigative questions

Investigation Report Page

An AI-generated summary at the top of each report instantly gives analysts a clear overview of the incident.

Question Results Page

AI-generated conclusions

Each investigative question has an AI-generated conclusion and a list of AI-generated key observables ready for analysts to review.

Review and add more facts

Analysts can open any key observable to review, add, or remove the supporting facts.

AI-generated conclusions

Review and add more facts

Question Results Page

Each investigative question has an AI-generated conclusion and a list of AI-generated key observables ready for analysts to review.

Testing

We ran 10 moderated usability sessions with forensic analysts from Google's security response team, 5 conducted by me, 5 by my teammate independently. Each session had participants walk through the prototype, followed by a post-test survey.

I synthesized the findings using NotebookLM to surface key insights and quotes, and affinity mapping to organize observations across four clusters: how analysts perceive AI, what's working, what's creating friction, and open questions for the next iteration.

Findings

What analysts told us

AI is a helpful assistant

"It did a lot of initial investigation steps that take a lot of time. I want AI to come and help me every day."

Users view AI as a powerful investigative assistant that accelerates their workflow by automatically summarizing data, surfacing key artifacts, and proposing initial questions. This frees them to focus their expertise on strategic analysis rather than time-consuming manual work.

80%

agreeing or strongly agreeing "The use of the AI feature is applicable in my day to day work.”"

70%

agreeing or strongly agreeing "“I am satisfied with the functionality of the AI feature.”

User trust is built on validation and control

"I would never trust any AI-generated results without human oversight. I need to know who generated this. Is it AI or is it a human?"

Users have consistently expressed a critical need to confirm any AI-generated conclusions by easily tracing them back to the original sources of evidence. To feel confident in the report and own the narrative, they also expect to have final control, including the ability to edit or override any AI suggestions to ensure that the report meets their standards for professional integrity.

87.5%

expressed either neutrality or disagreement regarding their trust in the AI's output.

90%

participants that validating AI results is a necessary and core step in their workflow.

Opportunities

Four areas to improve

While analysts saw clear value in the AI-generated workflow, testing revealed four key trust gaps that prevented them from confidently relying on the AI's output.

Opportunity #1

Analysts need to distinguish between human-created content and AI-generated content.

The visual treatment of AI indicators was inconsistent across the experience. Users couldn't reliably tell which content was AI-generated and which was human-created, leading to hesitation and extra time spent reviewing the data.

Design iterations #3

Opportunity #2

Analysts need to know what information has been human-vetted.

A single checkmark was used to indicate whether a question was finalized. Users needed to know whether each piece of data was AI-generated, human-created, or human-reviewed at every level. In forensic work, that human-vetted status is what makes a finding credible.

Design iterations #2

Opportunity #3

Analysts couldn't tell the difference between a Conclusion, an Observable, and a Fact.

The prototype introduced overlapping terminology. Users struggled to understand how Conclusions, Observables, and Facts related to one another, and were unsure which action to take when asked to add evidence.

Opportunity #4

Investigations are iterative. Analysts rarely reach a clean finish line.

Forensic investigations are open-ended by nature. Users found the progress bar, manual save step, and "Complete Investigation" button at odds with how they actually work, creating hesitation about whether it was safe to continue or return later.

Opportunity #1

Analysts need to distinguish between human-created content and AI-generated content.

The visual treatment of AI indicators was inconsistent across the experience. Users couldn't reliably tell which content was AI-generated and which was human-created, leading to hesitation and extra time spent reviewing the data.

Design iterations #3

Opportunity #2

Analysts need to know what information has been human-vetted.

A single checkmark was used to indicate whether a question was finalized. Users needed to know whether each piece of data was AI-generated, human-created, or human-reviewed at every level. In forensic work, that human-vetted status is what makes a finding credible.

Design iterations #2

Opportunity #3

Analysts couldn't tell the difference between a Conclusion, an Observable, and a Fact.

The prototype introduced overlapping terminology. Users struggled to understand how Conclusions, Observables, and Facts related to one another, and were unsure which action to take when asked to add evidence.

Design iterations #3

Opportunity #4

Investigations are iterative. Analysts rarely reach a clean finish line.

Forensic investigations are open-ended by nature. Users found the progress bar, manual save step, and "Complete Investigation" button at odds with how they actually work, creating hesitation about whether it was safe to continue or return later.

Iterations

From insight
to design

From insight to design

Design iterations #1

Analysts need to know what information has been human-vetted.

A consistent AI marker

I adopted Gemini's color palette and AI icon across every piece of AI-generated content in the interface. The sparkle icon gives users a consistent, recognizable marker, so they can tell at a glance what came from AI.

Design iterations #2

Analysts need to distinguish between human-created content and AI-generated content.

Status chips system

I introduced status chips that communicate the question status: New, Pending Review, Verified, or Rejected. And once a human has reviewed or edited the question, the Gemini icon is replaced with the author icon. 

Design iterations #3

Analysts couldn't tell the difference between a Conclusion, an observable, and a Fact.

A clearer taxonomy

I worked closely with the team to review and brainstorm terminology that better matched how analysts think. We replaced "Summary" with "Answer," "Key Observable" with "Conclusion," and "Fact" with "Event." The result was a naming system that the product could build on as it grows.

Design iterations #4

Investigations are iterative. Analysts rarely reach a clean finish line.

Designing for an iterative workflow

I reframed the endpoint from "Complete Investigation" to "Mark for Review." Additionally, I added autosave, a collapsible panel, and bottom navigation, so analysts can step away and pick back up as the investigation continues.

A consistent AI marker

I adopted Gemini's color palette and AI icon across every piece of AI-generated content in the interface. The sparkle icon gives users a consistent, recognizable marker, so they can tell at a glance what came from AI.

Status chips system

I introduced status chips that communicate the question status: New, Pending Review, Verified, or Rejected. And once a human has reviewed or edited the question, the Gemini icon is replaced with the author icon. 

A clearer taxonomy

I worked closely with the team to review and brainstorm terminology that better matched how analysts think. We replaced "Summary" with "Answer," "Key Observable" with "Conclusion," and "Fact" with "Event." The result was a naming system that the product could build on as it grows.

Designing for an iterative workflow

I reframed the endpoint from "Complete Investigation" to "Mark for Review." Additionally, I added autosave, a collapsible panel, and bottom navigation, so analysts can step away and pick back up as the investigation continues.

Build

Building it with the engineering team

I worked closely with the engineering team to build and ship a set of new global components, including status chips, question cards, and the progress bar, delivered within a month.

Learnings

As AI takes on more, protecting human agency becomes the design challenge.

As AI becomes embedded in high-stakes workflows across security, healthcare, and finance, the challenge is no longer whether AI can assist people. It's how to keep people meaningfully in control. That means making AI outputs auditable, creating clear review points, and ensuring people can question, edit, or override recommendations when needed. The goal isn't to remove humans from the process. It's to help them make better decisions with greater confidence.

KRISTY CHAN

Let's work together!

kristychan.design@gmail.com

© Kristy Chan 2026. All Rights Reserved