Timeline Creation for Forensics Analysis
Hi Squad,
Hi Squad,
Today, I will discuss the usefulness of timeline creation during Forensic analysis.
Let’s get into it. (Gonna be short and to the point)
Introduction
The idea behind timeline analysis is to list out the events that happened in your system in chronological order. This will help you to analyze the events and their consequences.
For example,
If a hacker hacks into your PC through a malicious MS word. Then, creates a new user and enables RDP on your machine for later access.
Then the events will look similar to the below:
MS word opened -> Macro execution -> TCP connection established -> new user created -> RDP enabled
Hence, we need the events in order to recognize the pattern and come to conclusion.
Event Types
You may want the following events in your timeline for analysis.
- System events
- File activity
- Browser activity
- Application activity
- Logs and Events
Approaches for event collection
- Automatically gather everything (Super timeline)
- Gather specific event types
Temporal Proximity
It is a very important concept used in the analysis. It means closeness in time. Sometimes, we need to find different events at the closest time. The closer, the better.
Timestamp Types
- 64-bit Filetime
- 32-bit Unix time format
- string-based format
- systemtime
Expected Timeline components
We might need some components for the successful analysis of the timeline. Some of them are,
- Timestamp
- Source
- Source type
- Description
- Type
Creating Timeline
Tools:
- Sleuthkit — fls, mactime
- Log2timeline
- Timeline explorer
Commands:
fls -l -r -a -p -m 'C:' image.dd > tl.csv
mactime -b tl.csv -d > timeline.csv
log2timeline -z local -f win7 -w timeline.csv -r C:\
Please give me a clap if you found it to be useful and follow me to get more hacking knowledge.
You can buy me a coffee if you would like to -> https://www.buymeacoffee.com/gowthamaraj