Timeline Analysis
Correlation
Timeline analysis turns scattered artifacts into an incident narrative. Normalize timestamps, preserve source context, separate observed facts from analyst conclusions, and use the timeline to drive containment and remediation decisions.
Use UTC Everywhere
Convert analysis views to UTC and record original source timezones. Mixed timezone handling is one of the fastest ways to misstate attacker dwell time or containment effectiveness.
Super Timeline Workflow
bash
# Create a Plaso storage file from a disk image
log2timeline.py --storage-file host01.plaso host01.E01
# Export to CSV for spreadsheet or notebook analysis
psort.py -o l2tcsv -w host01-timeline.csv host01.plaso
# Narrow to a confirmed incident window
psort.py -o l2tcsv -w host01-window.csv host01.plaso "date > '2026-05-26 00:00:00' AND date < '2026-05-27 00:00:00'"
# Export to Timesketch JSONL for collaborative review
psort.py -o timesketch -w host01-timesketch.jsonl host01.plaso
# Sleuth Kit fallback for file-system timelines
fls -r -m "/" -o <PARTITION_OFFSET> host01.raw > bodyfile.txt
mactime -b bodyfile.txt -d > host01-mactime.csv# Create a Plaso storage file from a disk image
log2timeline.py --storage-file host01.plaso host01.E01
# Export to CSV for spreadsheet or notebook analysis
psort.py -o l2tcsv -w host01-timeline.csv host01.plaso
# Narrow to a confirmed incident window
psort.py -o l2tcsv -w host01-window.csv host01.plaso "date > '2026-05-26 00:00:00' AND date < '2026-05-27 00:00:00'"
# Export to Timesketch JSONL for collaborative review
psort.py -o timesketch -w host01-timesketch.jsonl host01.plaso
# Sleuth Kit fallback for file-system timelines
fls -r -m "/" -o <PARTITION_OFFSET> host01.raw > bodyfile.txt
mactime -b bodyfile.txt -d > host01-mactime.csvTimeline Sources
| Source | Useful Artifacts | Caveat |
|---|---|---|
| File System | MFT, USN Journal, file MACB timestamps. | Timestamps can be copied or modified. |
| Windows Events | Security, System, PowerShell, Sysmon, Task Scheduler. | Retention and collection gaps are common. |
| Identity | Sign-ins, MFA, token revocation, risky user events. | Cloud export times may differ from event times. |
| Network | DNS, proxy, firewall, NetFlow, cloud flow logs. | NAT and shared egress can obscure host attribution. |
| Browser and SaaS | Downloads, OAuth consent, admin changes, sharing events. | User actions and automated sync can look similar. |
Event Confidence Model
Observed
Directly present in a raw log, image, packet capture, or audit export.
Corroborated
Supported by two or more independent sources.
Inferred
Analyst conclusion based on sequence and context; document assumptions.
Narrative Output
csv
time_utc,event,source,confidence,notes
2026-05-26T14:20:12Z,first suspicious sign-in,identity-export,observed,test account from unusual ASN
2026-05-26T14:24:09Z,archive created on endpoint,edr-process-event,corroborated,process tree and file timestamp align
2026-05-26T14:31:44Z,large outbound transfer,firewall-flow,corroborated,proxy and NetFlow agree on volume
2026-05-26T14:42:00Z,account sessions revoked,incident-notes,observed,approved by incident commander
2026-05-26T15:10:00Z,no recurrence observed,siem-query,inferred,monitoring window continuestime_utc,event,source,confidence,notes
2026-05-26T14:20:12Z,first suspicious sign-in,identity-export,observed,test account from unusual ASN
2026-05-26T14:24:09Z,archive created on endpoint,edr-process-event,corroborated,process tree and file timestamp align
2026-05-26T14:31:44Z,large outbound transfer,firewall-flow,corroborated,proxy and NetFlow agree on volume
2026-05-26T14:42:00Z,account sessions revoked,incident-notes,observed,approved by incident commander
2026-05-26T15:10:00Z,no recurrence observed,siem-query,inferred,monitoring window continues