Timeline Creation for Forensics Analysis

Hi Squad,

Hi Squad,

Today, I will discuss the usefulness of timeline creation during Forensic analysis.

Let’s get into it. (Gonna be short and to the point)


Introduction

The idea behind timeline analysis is to list out the events that happened in your system in chronological order. This will help you to analyze the events and their consequences.

For example,

If a hacker hacks into your PC through a malicious MS word. Then, creates a new user and enables RDP on your machine for later access.

Then the events will look similar to the below:

MS word opened -> Macro execution -> TCP connection established -> new user created -> RDP enabled

Hence, we need the events in order to recognize the pattern and come to conclusion.

Event Types

You may want the following events in your timeline for analysis.

  • System events
  • File activity
  • Browser activity
  • Application activity
  • Logs and Events

Approaches for event collection

  1. Automatically gather everything (Super timeline)
  2. Gather specific event types

Temporal Proximity

It is a very important concept used in the analysis. It means closeness in time. Sometimes, we need to find different events at the closest time. The closer, the better.

Timestamp Types

  1. 64-bit Filetime
  2. 32-bit Unix time format
  3. string-based format
  4. systemtime

Expected Timeline components

We might need some components for the successful analysis of the timeline. Some of them are,

  1. Timestamp
  2. Source
  3. Source type
  4. Description
  5. Type

Creating Timeline

Source: https://media.wired.com/photos/5a03bb1209ca3179e60bac71/master/pass/Mimikatz-FA.jpg

Tools:

  1. Sleuthkit — fls, mactime
  2. Log2timeline
  3. Timeline explorer

Commands:

fls -l -r -a -p -m 'C:' image.dd > tl.csv 
mactime -b tl.csv -d > timeline.csv 
 
log2timeline -z local -f win7 -w timeline.csv -r C:\

Please give me a clap if you found it to be useful and follow me to get more hacking knowledge.

You can buy me a coffee if you would like to -> https://www.buymeacoffee.com/gowthamaraj