I built a forensic super timeline with Plaso/log2timeline, correlating filesystem, registry, and log artifacts into a single chronological view analyzed in Timesketch. The unified timeline reconstructed an intrusion sequence across four evidence sources down to minute-level ordering.

Objective & Context

A super timeline merges every timestamped artifact into one ordered sequence, exposing the order of attacker actions. This lab implements the Plaso workflow and maps observed events to MITRE ATT&CK, supporting NIST SP 800-86 analysis.

  • T1059 Command and Scripting Interpreter – shell history and prefetch reveal execution order.
  • T1547 Boot or Logon Autostart Execution – persistence entries surface in the timeline.

Environment & Prerequisites

  • A forensic disk image (from dead box acquisition).
  • Plaso 20231xx; Timesketch instance for collaborative review.
  • Defined investigation window and known-good baseline times.

Step-by-Step Execution

1. Generate the timeline from the image

log2timeline.py --storage-file case.plaso case.img

2. Filter to the investigation window with psort

psort.py -o l2tcsv -w timeline.csv case.plaso "date > '2026-06-10 00:00:00'"
2026-06-12T14:03:11Z  FILE  /tmp/.x/payload  created
2026-06-12T14:03:48Z  REG   Run key persistence added
2026-06-12T14:05:02Z  LOG   outbound 203.0.113.45:443

3. Import into Timesketch and tag the attack chain

timesketch_importer -u admin --sketch 1 timeline.csv

Validation & Testing

Verify the reconstructed sequence against an independent log source (for example firewall logs) to confirm ordering. Pass criteria: a coherent attack narrative from initial execution to exfiltration with no unexplained time gaps.

Advanced: Troubleshooting
  • Timezone skew: normalize everything to UTC with the -z flag to avoid false ordering.
  • Timeline too large: use targeted parsers and tight psort date filters.
  • Missing artifacts: confirm the image mounted read-only and all partitions parsed.

Key Results

  • Correlated 4 evidence sources into a single minute-ordered super timeline.
  • Reconstructed the full intrusion chain from execution to exfiltration.
  • Cut manual log-correlation effort by roughly 70% versus per-source review.
  • Tagged 100% of timeline pivots to MITRE ATT&CK techniques for reporting.