Create 06-correlation-and-triangulation.md

Author: ngvuthdanhh

operations/06-correlation-and-triangulation.md

@@ -0,0 +1,25 @@
+# 06 — Correlation & Triangulation
+
+## Cross-Artifact Correlation
+- Logs ↔ filesystem traces ↔ timelines ↔ user activity.
+
+## Event Linking Strategies
+- Map one event to multiple artifacts.
+- Validate using redundant sources.
+
+## Pivot Object Selection
+- File hash  
+- Process name  
+- USB identifier  
+- IP address  
+- Login session ID  
+
+## Timestamp Verification
+- Compare metadata vs logs.
+- Identify inconsistencies.
+
+## Activity Chain Construction
+1. Identify starting event  
+2. Map supporting artifacts  
+3. Validate sequence  
+4. Remove weak links