Forensics Timeline Creation

Advanced Security
log2timelineplasomactimetimesketchGantt chart

Objective

Build a comprehensive forensic timeline by correlating filesystem, log, and artifact timestamps.

Tools & Technologies

  • log2timeline
  • plaso
  • mactime
  • timesketch
  • Gantt chart

Key Commands

log2timeline.py /evidence/timeline.plaso /image.dd
psort.py /evidence/timeline.plaso -o l2tcsv > output.csv
mactime -b body.txt
timesketch_importer.py

Architecture Overview

gantt title Incident Timeline Reconstruction dateFormat YYYY-MM-DD HH:mm section Attacker Activity Initial compromise :crit, a1, 2024-01-15 02:00, 30m Lateral movement :crit, a2, 2024-01-15 03:00, 2h Data exfiltration :crit, a3, 2024-01-15 05:30, 1h section System Events Failed SSH attempts :b1, 2024-01-15 01:45, 15m Successful SSH login :b2, 2024-01-15 02:00, 5m Unusual process start :b3, 2024-01-15 02:10, 5m

Step-by-Step Process

01
Log2Timeline

Extract all timestamps from a disk image.

# Install
pip3 install plaso

# Extract timeline
log2timeline.py /evidence/timeline.plaso /dev/sdb
# Or from image
log2timeline.py /evidence/timeline.plaso /evidence/disk.dd

# Filter and export
psort.py /evidence/timeline.plaso \
  -o l2tcsv \
  -w /evidence/timeline.csv \
  -z UTC
02
Filesystem Mactime

Use TSK mactime for a faster filesystem-only timeline.

# Generate bodyfile from image
fls -r -m / /evidence/disk.dd > /evidence/body.txt

# Generate mactime timeline
mactime -b /evidence/body.txt \
  -d -z UTC \
  -p /evidence/passwd \
  -g /evidence/group \
  > /evidence/fstimeline.csv
03
Correlate Events

Filter timeline around suspected incident window.

# Filter CSV to incident window
awk -F, '$1 >= "2024-01-15 02:00" && $1 <= "2024-01-15 06:00"' timeline.csv

# Pivot on specific user
grep 'alice' timeline.csv

# Correlate with auth logs
grep '2024-01-15T02' /var/log/auth.log

Challenges & Solutions

  • Timezone inconsistencies in multi-source timelines corrupt analysis — normalize to UTC
  • Large disk images take hours to process with log2timeline

Key Takeaways

  • Timeline is the foundation of all forensic narrative — invest time getting it right
  • Attacker-modified timestamps (timestomping) are visible as anomalies in MACB analysis