Forensics Timeline Analysis with Plaso and Timesketch
I built a forensic super timeline with Plaso/log2timeline, correlating filesystem, registry, and log artifacts into a single chronological view analyzed in Timesketch. The unified timeline reconstructed an intrusion sequence across four evidence sources down to minute-level ordering.
Objective & Context
A super timeline merges every timestamped artifact into one ordered sequence, exposing the order of attacker actions. This lab implements the Plaso workflow and maps observed events to MITRE ATT&CK, supporting NIST SP 800-86 analysis.
- T1059 Command and Scripting Interpreter – shell history and prefetch reveal execution order.
- T1547 Boot or Logon Autostart Execution – persistence entries surface in the timeline.
flowchart LR
E[Disk image] --> P[log2timeline.py]
P --> ST[(Plaso storage)]
ST --> PS[psort filter]
PS --> TS[Timesketch analysis]
Environment & Prerequisites
- A forensic disk image (from dead box acquisition).
- Plaso 20231xx; Timesketch instance for collaborative review.
- Defined investigation window and known-good baseline times.
Step-by-Step Execution
1. Generate the timeline from the image
log2timeline.py --storage-file case.plaso case.img2. Filter to the investigation window with psort
psort.py -o l2tcsv -w timeline.csv case.plaso "date > '2026-06-10 00:00:00'"2026-06-12T14:03:11Z FILE /tmp/.x/payload created
2026-06-12T14:03:48Z REG Run key persistence added
2026-06-12T14:05:02Z LOG outbound 203.0.113.45:443
3. Import into Timesketch and tag the attack chain
timesketch_importer -u admin --sketch 1 timeline.csvValidation & Testing
Verify the reconstructed sequence against an independent log source (for example firewall logs) to confirm ordering. Pass criteria: a coherent attack narrative from initial execution to exfiltration with no unexplained time gaps.
Advanced: Troubleshooting
- Timezone skew: normalize everything to UTC with the
-zflag to avoid false ordering. - Timeline too large: use targeted parsers and tight psort date filters.
- Missing artifacts: confirm the image mounted read-only and all partitions parsed.
Key Results
- Correlated 4 evidence sources into a single minute-ordered super timeline.
- Reconstructed the full intrusion chain from execution to exfiltration.
- Cut manual log-correlation effort by roughly 70% versus per-source review.
- Tagged 100% of timeline pivots to MITRE ATT&CK techniques for reporting.