Timeline Analysis
Analysis
Timeline analysis correlates events from multiple sources to reconstruct attacker activity. Tools like Plaso create "super timelines" combining file system, registry, logs, and browser artifacts.
Creating Super Timelines with Plaso
bash
# Plaso (log2timeline) - Create super timeline
# Step 1: Extract timeline from disk image
log2timeline.py --storage-file timeline.plaso disk_image.E01
# Step 2: Export to CSV for analysis
psort.py -o l2tcsv -w timeline.csv timeline.plaso
# Filter by date range
psort.py -o l2tcsv -w filtered.csv timeline.plaso "date > '2024-01-01' AND date < '2024-01-15'"
# Export to Timesketch format
psort.py -o timesketch timeline.plaso -w timeline.jsonl
# Using mactime (Sleuth Kit) for basic timeline
fls -r -m "/" -o 2048 disk.raw > bodyfile.txt
mactime -b bodyfile.txt -d > timeline.csv
# Timeline Explorer (Eric Zimmerman) - Windows GUI
# TLN format for timeline correlationKey Timeline Artifacts
| Source | Artifacts |
|---|---|
| File System | $MFT timestamps, $UsnJrnl, file metadata |
| Windows Registry | UserAssist, RecentDocs, ShellBags, BAM/DAM |
| Event Logs | Security, System, PowerShell, Sysmon |
| Browser | History, downloads, cache, cookies |