Timeline Analysis & Reporting

Plaso, Log2timeline & Forensic Documentation

Section 11 of 12

Timeline Analysis Overview

Definition: Chronological reconstruction of events from multiple data sources to understand the sequence of activities during an incident.

Why Build Timelines?

Event Correlation: Connect related events
Pattern Recognition: Identify attack sequences
Gap Analysis: Find missing evidence
Attribution: Link actions to actors
Documentation: Support legal cases
Communication: Visual incident summary

Timeline Data Sources

File System: MAC(B) times - Modified, Accessed, Changed, (Birth)
Event Logs: Windows/Linux system logs
Registry: Key modification times
Browser History: Web activity
Email: Send/receive timestamps
Network Logs: Connection records
Application Logs: Software-specific events

Super Timeline with Plaso/log2timeline

Plaso (log2timeline): Python-based tool for creating comprehensive timelines from various forensic artifacts.

Basic Plaso Workflow

# 1. Create timeline (this takes time!)

log2timeline.py timeline.plaso /path/to/evidence/

# 2. Filter & output to CSV

psort.py -o l2tcsv -w timeline.csv timeline.plaso

# 3. Filter by date range

psort.py -o l2tcsv -w filtered.csv timeline.plaso \

"date > '2025-12-01 00:00:00' AND date < '2025-12-03 23:59:59'"

# 4. Filter by source type

psort.py -o l2tcsv -w browser.csv timeline.plaso \

"parser contains 'chrome'"

# 5. Dynamic output (interactive)

psort.py -o dynamic timeline.plaso

Supported Parsers

• File system metadata (NTFS, ext4)
• Windows Event Logs (EVTX)
• Windows Registry
• Prefetch files
• Browser history (Chrome, Firefox, IE)
• Email (PST, MBOX)
• Antivirus logs

Performance Tips

• Use specific parsers with --parsers
• Process mounted images, not .dd files when possible
• Use --workers for multi-threading
• Filter early with --filter

Timeline Analysis with Autopsy

Autopsy Timeline Features

Autopsy provides integrated timeline visualization for case analysis.

Timeline View

File Activity: Created, modified, accessed
Event Clustering: Group related events
Filtering: By type, source, date
Tagging: Mark significant events
Export: CSV, body file format

Visualization Options

List View: Chronological event list
Counts View: Event frequency over time
Details View: File/event metadata
Cluster View: Group by hour/day

Autopsy Body File Export

# Body file format (used by mactime)

# Convert to timeline with mactime (Sleuth Kit)

mactime -b bodyfile.txt -d > timeline.csv

# Filter by date range

mactime -b bodyfile.txt -d 2025-12-01..2025-12-03 > filtered.csv

Understanding MAC(B) Times

File System Timestamps

MACB Timestamps

M - Modified: Content changed
A - Accessed: File opened/read
C - Changed: Metadata changed (permissions, ownership)
B - Birth (Created): File created (NTFS, ext4)

Important Notes

• Different filesystems support different timestamps
• Timestamps can be modified (timestomping)
• Copy operations affect timestamps
• Windows disables "last access" by default (since Vista)

NTFS $STANDARD_INFORMATION vs $FILE_NAME

$SI: Easily modified, shown by Windows
$FN: Harder to modify, stored in MFT
• Timestomping typically only modifies $SI
• Compare both to detect manipulation

View Timestamps

# Windows (PowerShell)

Get-Item file.txt | Select-Object *Time*

# Linux

stat file.txt

# Sleuth Kit

istat -f ntfs image.dd 128

Anti-Forensics

Attackers may use timestomping tools to modify file timestamps and hide their tracks. Always verify with multiple data sources.

Event Correlation

Connecting events from multiple sources to reconstruct attack narratives.

Correlation Techniques

Pivot Points

Timestamps: Events at same time
File Hashes: Same file across systems
IP Addresses: Network connections
User Accounts: Actions by same user
Process IDs: Related activities
File Paths: Common locations

Correlation Examples

• File creation → Registry modification → Network connection
• Login event → File access → Data exfiltration
• Email received → Attachment opened → Malware execution
• Web download → File execution → Persistence mechanism

Building the Narrative

1. Initial Compromise: How did attacker get in? (phishing, exploit, stolen creds)
2. Persistence: How did they maintain access? (registry, scheduled tasks)
3. Lateral Movement: How did they spread? (PsExec, WMI, RDP)
4. Collection: What data did they access? (file access logs)
5. Exfiltration: How did data leave? (network logs, cloud uploads)
6. Impact: What damage was done? (deleted files, encryption)

Forensic Report Writing

Professional documentation is essential for legal proceedings, management briefings, and knowledge sharing.

Report Structure

1. Executive Summary

• Brief overview (1-2 pages)
• Key findings
• Impact assessment
• Recommendations

2. Case Information

• Case number & date
• Investigator(s)
• Evidence custodian
• Authorization

3. Evidence Description

• Evidence list & hashes
• Chain of custody
• Acquisition method
• Storage location

4. Analysis & Findings

• Methodology used
• Tools employed
• Detailed findings
• Timeline of events
• Artifacts discovered

5. Conclusions

• Summary of findings
• Answer investigative questions
• Attribution (if possible)

6. Appendices

• Screenshots
• Log excerpts
• Full timelines
• Tool outputs

Report Writing Best Practices

Do's

Be Objective: Stick to facts and evidence
Be Clear: Write for non-technical audiences
Be Accurate: Verify all information
Be Complete: Document all steps
Use Timestamps: Include timezone information
Include Screenshots: Visual evidence
Reference Sources: Tool versions, log locations
Explain Technical Terms: Use glossary if needed

Don'ts

Don't Speculate: Only present what evidence shows
Don't Use Jargon: Explain technical concepts
Don't Omit Contradictions: Address inconsistencies
Don't Ignore Exculpatory Evidence: Include all findings
Don't Make Assumptions: Clearly label assumptions
Don't Overreach: Stay within expertise

Legal Consideration

Your report may be used in court. Ensure accuracy, maintain objectivity, and be prepared to testify and explain your findings under oath.

Visual Elements

Timelines: Visual event sequences
Network Diagrams: Show attack paths
Screenshots: Annotate key findings
Charts/Graphs: Event frequency, data volumes
Tables: Structured data presentation

Documentation & Chain of Custody

Chain of Custody

Definition: Documentation of evidence handling from collection to presentation in court.

What to Document

Who: Collected, handled, analyzed
What: Description of evidence
When: Date/time of each action
Where: Location of evidence
Why: Purpose of action
How: Method used

Evidence Integrity

Hash Values: MD5, SHA-256 at acquisition
Write Protection: Hardware write blockers
Storage: Secure, climate-controlled
Access Logs: Who accessed when
Verification: Re-hash before analysis

Documentation Tools

Case Management: FRED (Forensic Report & Evidence Database)
Note Taking: CaseNotes, OneNote, Joplin
Screenshots: Greenshot, ShareX, Snagit
Screen Recording: OBS Studio, CamStudio
Report Templates: SANS templates, custom

Best Practice

Document everything in real-time. Memories fade, but contemporaneous notes are considered reliable in court.

Visualization & Presentation Tools

Timesketch

Collaborative timeline analysis

• Web-based interface
• Plaso integration
• Multi-user collaboration
• Graphing & filtering
• Open-source

TimelineExplorer

CSV timeline viewer

• Fast CSV loading
• Filtering & search
• Tag events
• Windows application
• Free

Maltego

Link analysis & visualization

• Entity relationship mapping
• OSINT integration
• Custom transforms
• Commercial / CE

CaseFile

Offline link analysis

• Similar to Maltego
• No transforms
• Manual data entry
• Free

Excel / LibreOffice Calc

Spreadsheet analysis

• Pivot tables
• Filtering & sorting
• Charts & graphs
• Formulas for analysis

Jupyter Notebooks

Python-based analysis

• Interactive code & notes
• Pandas for data analysis
• Matplotlib for visualization
• Free, reproducible