Timeline Analysis

Use the initial alert as a starting location, then checking for network activity, process activity (including checking for injection), and then looking for names of files, look for activity of specific users that have been identified and then finally identify the IOCs from the data

Use Log2Timline / Plasofor timeline creation, then load into TimeSketch.

Logon Tracer is great for identifying user sessions!

MFTECmd is good for parsing MFT files and creating timelines from the file cache.

NTFS filesystem times:

Always stores times in UTC!

M / Modify - Data content change time A / Access - Data last access time C / change - Metadata change time B / Birth - File Creation time

Windows 10v1907

	File creation	File Access	File Modification	File Rename	File Copy	Local file move	Volume File move	File Deletion
M
A
B
C

Windows11 v22H2

exceptions to the above:

Applications:

• office products

• WinZip

Anti-Forensics:

• Timestomp

• Touch

• Privacy Cleaners

Archives

• ZIP, Rar, and TGZ retains original date / timstpamp

• affects modified time only

Four step process:

1. Determine timeline scope - thorough analysis of the key questions

2. narrow pivot points - identify key files, users and machines

3. determine the best timeline for you - log2timline or MFT timelines?

4. filter & duplicate