Building a Forensic Timeline

From Artifacts to Answers

In Lessons 9.1 through 9.5, you learned to extract forensic artifacts from individual sources — disk images, Windows registries, Linux logs, and memory dumps. Each source tells part of the story. But an investigation that analyzes each source in isolation is like reading random pages from a novel — you get facts without narrative.

The forensic timeline is where every artifact comes together into a single chronological sequence. It transforms isolated data points into a story: the attacker gained access at 02:14 via SSH, escalated privileges at 02:18 with sudo, installed tools at 02:20, established a reverse shell at 02:22, began data exfiltration at 02:35, and cleared logs at 02:47.

What Is a Super Timeline?

A super timeline is a single chronological listing of every timestamped event from every artifact source in an investigation. A typical super timeline from a single Windows workstation can contain millions of entries — every file creation, every registry modification, every event log entry, every browser history visit, every prefetch execution, all sorted by time.

The concept was pioneered by Kristinn Gudjonsson, who created the original log2timeline tool. The modern implementation is Plaso (Plaso Langar Að Safna Öllu — Icelandic for "Plaso Likes to Collect Everything"), which parses over 300 artifact types.

What Goes Into a Super Timeline

log2timeline/Plaso: Automated Timeline Generation

For large-scale investigations, manually correlating thousands of artifacts is impractical. Plaso automates the process.

Click to enlarge

Step 1: Parse All Artifacts

log2timeline.py --storage-file case001.plaso /evidence/disk_image.E01

This single command parses the entire disk image using all applicable parsers. On a 100 GB image, this can take hours but will extract millions of timestamped events from every supported artifact type.

Step 2: Filter the Timeline

A raw super timeline with 10 million entries is unusable without filtering. Plaso's psort.py tool filters and outputs the timeline:

psort.py -o l2tcsv -w timeline.csv case001.plaso "date > '2026-03-15 00:00:00' AND date < '2026-03-16 00:00:00'"

Common filters:

Step 3: Analyze in a Viewer

The CSV output can be opened in:

• Timeline Explorer (Eric Zimmerman) — purpose-built for super timeline analysis on Windows, handles millions of rows efficiently
• Excel/LibreOffice — works for filtered timelines under ~1 million rows
• Elastic/OpenSearch — import the timeline for SIEM-style searching and visualization
• grep/awk — command-line filtering for specific patterns

Manual Timeline Construction

Not every investigation requires Plaso. For smaller incidents or when you need to combine artifacts from different systems, a manual timeline built in a structured spreadsheet is often more effective and faster.

The Timeline Template

Building the Manual Timeline

1. Start with your first indicator — usually a Wazuh alert, Suricata alert, or user report
2. Work backwards — find the initial access event (SSH login, web exploit, phishing)
3. Work forwards — trace every action from initial access to the present
4. Cross-reference sources — if auth.log shows a login at 02:14, check wtmp for the same session, check bash_history for commands during that session, check filesystem timestamps for files created during that window
5. Fill gaps — if there is a 15-minute gap in your timeline, identify which artifact source might fill it (memory? network logs? SIEM alerts?)

Timeline Analysis Techniques

Identifying the Initial Compromise

The initial compromise is the single most important event to find. Everything before it is reconnaissance (interesting but less urgent). Everything after it is the attack itself.

Common indicators of initial compromise in a timeline:

Tracking Lateral Movement

Once you find the initial compromise, look for the attacker moving to other systems:

02:22:15  WIN-DC-01   powershell.exe connects to 10.0.2.30:445 (SMB)
02:22:18  FILE-SRV-01 New login: admin from 10.0.1.50 (NTLM)
02:22:25  FILE-SRV-01 PsExec service installed: PSEXESVC
02:22:30  FILE-SRV-01 cmd.exe spawned by PSEXESVC

The timeline makes lateral movement visible: the attacker pivoted from WIN-DC-01 to FILE-SRV-01 using PsExec over SMB within 15 seconds.

Identifying Data Exfiltration

Click to enlarge

Look for patterns that indicate data collection and transfer:

• Staging: File compression utilities (7z, zip, rar) creating archives in unusual locations
• Collection: Access timestamps on sensitive file shares or database exports
• Transfer: Large outbound connections to external IPs, especially using encrypted protocols (HTTPS, DNS tunneling)

Correlating with SIEM Data

Your forensic timeline becomes exponentially more powerful when merged with SIEM alerts from Wazuh, Suricata, and other monitoring tools.

Why SIEM Correlation Matters

How to Merge SIEM Data

curl -sk "https://wazuh-indexer:9200/wazuh-alerts-*/_search" \
  -H "Content-Type: application/json" \
  -d '{
    "query": {
      "range": {
        "timestamp": {
          "gte": "2026-03-15T02:00:00Z",
          "lte": "2026-03-15T03:00:00Z"
        }
      }
    },
    "size": 1000,
    "sort": [{"timestamp": "asc"}]
  }'

Export the results to CSV and merge with your forensic timeline. The combined view shows both what the attacker did (forensic artifacts) and what your monitoring detected (SIEM alerts) — revealing both the attack and your detection gaps.

Common Timeline Pitfalls

Pitfall 1: Time Zone Confusion

Rule: Normalize everything to UTC before adding to your timeline.

Pitfall 2: Timestamp Granularity

Not all timestamps have the same precision:

When two events appear to have the same timestamp, their actual order may be ambiguous. Document this uncertainty rather than guessing.

Pitfall 3: Evidence Gaps

Gaps in your timeline do not mean nothing happened. They mean you lack evidence for that period. Common causes:

• Log rotation — older entries were compressed or deleted before acquisition
• Anti-forensics — attacker cleared specific logs (history -c, log truncation)
• Insufficient logging — process auditing was not enabled, command-line logging was not configured
• Volatile evidence lost — the system was rebooted before memory was captured
• Scope limitation — you imaged one system but the attacker used three

Always document gaps explicitly in your report: "No evidence available for WIN-DC-01 between 02:30 and 02:45 due to Event Log clearing."

Pitfall 4: Timestamp Manipulation

Sophisticated attackers may manipulate timestamps using tools like timestomp (changing NTFS MACB times) or touch (changing Linux file times). Indicators of timestamp manipulation:

• File Modified time is older than Created time (impossible without manipulation on NTFS)
• $STANDARD_INFORMATION timestamps differ from $FILE_NAME timestamps in the MFT
• Files with timestamps that predate the operating system installation
• Clusters of files with identical timestamps down to the sub-second

Report Writing for Forensic Investigations

The timeline is your evidence. The report is how you communicate that evidence to stakeholders who were not in the investigation.

Report Structure

The Findings Narrative

Transform your timeline into a narrative. Instead of:

02:14:33 - SSH login admin from 10.0.1.50
02:18:12 - sudo apt install nmap
02:19:00 - /tmp/.hidden executed

Write:

At 02:14 UTC on March 15, the attacker authenticated to web-server-01 via SSH using compromised credentials for the 'admin' account, originating from internal IP 10.0.1.50 (the previously compromised workstation). Within four minutes, the attacker escalated to root privileges via sudo and installed reconnaissance tools (nmap, netcat, Impacket). At 02:19, a previously staged ELF binary at /tmp/.hidden was executed, establishing a reverse shell to the attacker's C2 infrastructure.

The narrative adds context, causation, and interpretation — turning data into understanding.

Key Takeaways

• A super timeline combines all timestamped artifacts from all sources into a single chronological view — transforming isolated facts into a coherent narrative
• Plaso/log2timeline automates super timeline generation from disk images, parsing 300+ artifact types into a unified storage file
• Manual timelines (spreadsheet-based) are effective for focused investigations and when combining artifacts from multiple systems
• The analysis workflow: start at the first alert → work backwards to initial compromise → work forwards through the full attack chain → fill gaps
• SIEM correlation dramatically enhances forensic timelines by adding monitoring context (what was detected vs. what was missed)
• Normalize all timestamps to UTC before building your timeline — time zone errors are the most common and most damaging forensic mistake
• Acknowledge evidence gaps explicitly rather than guessing — gaps caused by log rotation, anti-forensics, or insufficient logging must be documented
• Watch for timestamp manipulation indicators: impossible chronological orders, mismatched MFT timestamps, or suspiciously identical timestamps
• Forensic reports serve multiple audiences — executive summary for leadership, detailed findings for responders, IOCs for the SOC, and recommendations for remediation teams
• Transform timeline data into narrative form that explains the how and why, not just the what and when

What's Next

You have completed the Digital Forensics module — from evidence acquisition and chain of custody through Windows artifacts, Linux investigation, memory forensics, and timeline construction. You now have the skills to conduct a full forensic investigation from detection to report. Module 10 takes you into YARA — Malware Detection, where you will write pattern-matching rules to identify malware by its binary characteristics, connect YARA to Velociraptor for enterprise-wide scanning, and build a detection library that bridges forensic findings with proactive threat hunting.