9.1.

Introduction

9.2. Event Types

9.3. Approaches

9.4. Temporal Proximity

9.5. Timestamp Types

9.6. Timeline Fields

9.7. Creating Timelines

© Caendra Inc. 2018

© Caendra Inc. 2018
Timeline analysis is not something new, having been around
for quite some time.

In the past, the focus was only on the file system metadata
details; now, it has become something different with more
data to look at.

© Caendra Inc. 2018

The idea behind timeline analysis is to list all the events that
happened on the disk in chronological order regardless of its
type, location, or even application.

The sequence of events would aid an investigator in figuring

out the context of the events and if they are related to an
intrusion for example or not.

© Caendra Inc. 2018

Example:
A system was compromised through a vulnerable network level
service. The attacker then enabled the remote desktop service,
added a user to the system, and then opened a port in the
system’s firewall.

© Caendra Inc. 2018

If we analyze each event alone:

Accessing a Enabling Creating a user

network service remote desktop on the system

You will notice that they are all normal operations done by system
administrators all the time.

© Caendra Inc. 2018

BUT, when you take the events into a sequence and check them
closely, you will notice that there is something suspicious going on.

Timeline analysis will help in discovering such series of events.

© Caendra Inc. 2018

One thing to keep in mind is that this is a very tedious and
time-consuming task, which might take a very long time to
finish analysis and reach a conclusion.

There are different reasons to that; first, if you know what

each event is in the output, then it would be easier for you to
understand what is done at this point in time.

© Caendra Inc. 2018

The second reason is that becoming an expert in timeline
analysis requires lots of experience, especially what to focus
on, what to remove or filter and why.

As you continue to look at timeline analysis reports and work

on them, you will gain more experience.

© Caendra Inc. 2018

The final reason is that even when a system is idle, and the
user is doing nothing, the system itself is actually performing
some events.

For example, the system may be running a scheduler or the

file system checker in the background. Such things add events
and will show up in your timeline analysis report.

© Caendra Inc. 2018

© Caendra Inc. 2018
What type of events do we want to be in a timeline?
Usually it depends on what you’re trying to answer, but in general
the things that could be added to a timeline are:
• System events
• File activity
• Browser activities Multiple Data Sources
• Application activities
• Logs and Events

© Caendra Inc. 2018

What if the case you are working involves multiple systems?

This is where it becomes even more complicated. Events

could have happened on different systems, especially when,
for example, lateral movement is part of the intrusion. At this
point, you will not only be adding multiple data sources only
but multiple systems with multiple data sources!

© Caendra Inc. 2018

So, when adding multiple source devices, the size of your timeline
will for sure be huge, so you must try to figure out a duration to
focus on to help you go through the millions of lines you will
encounter in your timeline.

© Caendra Inc. 2018

© Caendra Inc. 2018
There are different approaches that are typically used:
• Automatically gather everything
• Gather specific event types

© Caendra Inc. 2018

#1 - Automatically gather everything

• As the name implies, this is done by automatically

gathering all the events that could be collected from a
system and analyzing them.

• This is also referred to as “Super timeline”.

© Caendra Inc. 2018

#2 - Gather specific events

• I call it the Carvey’s approach, because it is the one

used by Harlan Carvey (a very well known digital
forensics and incident response researcher).

• I highly recommend you check out his books

and blog found here:
http://windowsir.blogspot.com/

© Caendra Inc. 2018

This approach is based on the objectives of the investigation.
You could use multiple tools, each for a specific system file
(e.g., event logs, registry entries) that could provide date and
time information. Also, do not to forget the file system
metadata.

Other artifacts that could be checked are usually related to

users, for instance, like browser activity.

© Caendra Inc. 2018

© Caendra Inc. 2018
Temporal Proximity

• Is a very important concept that is used in timeline

analysis, which means closeness in time.

• Sometimes you need to find the closest time of events

within a number of events. The closer the time is, the
more likely it is to be accurate.

© Caendra Inc. 2018

Because times may be altered, multiple references to a
particular time will increase the confidence in that time.

Remember, you are working with millions of timestamp

entries, the more temporal proximity you get, you’ll achieve
better and faster results.

© Caendra Inc. 2018

© Caendra Inc. 2018
Different Time Formats
Windows in particular uses a number of different time formats for
different system files, data entries, and registry values. The most
commonly seen time formats are:
• 64-bit FILETIME (UTC)
Number of 100 nanosecond intervals since 1/1/1601

• 32-bit Unix time format (UTC)

Number of seconds since 1/1/1970

© Caendra Inc. 2018

• String based format (local time)
01/01/2018 5:55 PM

• SYSTEMTIME (local time)

Used some registry entries and some XP times

© Caendra Inc. 2018

You will be dealing with MACB data throughout your timeline analysis.

So the MACB time meanings by most common file systems could be seen
as:

File system m a c b
FAT Written Accessed Not available File created

NTFS File modified Accessed MFT entry modified File created

© Caendra Inc. 2018

© Caendra Inc. 2018
Depending on the type of timeline you are generating, and of
course, the tool used to generate a timeline, the general
timeline will have the following components:
1. Timestamp 4. Type
2. Source 5. MACB
3. Source Type 6. Description

© Caendra Inc. 2018

The structure of a body file (later converted to a timeline)
generated by the Sleuthkit is:
MD5|name|inode|mode_as_string|UID|GID|size|atime|mtime|ctime|crtime

[-] Body file, https://wiki.sleuthkit.org/index.php?title=Body_file

© Caendra Inc. 2018

While the structure of a timeline generated by the log2timeline
(plaso) would be:
MD5|name|inode|mode_as_string|UID|GID|size|atime|mtime|ctime|crtime

© Caendra Inc. 2018

The final example would be Eric’s Time Line Explorer (TLE),
which does not have a specific structure because it allows you
to open a timeline and analyze it within TLE.

So, the structure actually depends on the tool you used to

build your timeline.

[-] TLE, https://ericzimmerman.github.io/

© Caendra Inc. 2018

Source Field

The source filed could include evidence gathered from:

• FILE – file system create dates

• EVT/EVTX – XP, 2000, 2003 event logs
• EVTX – Vista and 7 event logs
• REG – registry dates
• PRE – prefetch dates
• LNK – lnk dates

© Caendra Inc. 2018

System Field

• System name
• Host name
• IP Address
• MAC Address

© Caendra Inc. 2018

User Field

• User associated with the event

• SID
• Users are often associated with registry entries

© Caendra Inc. 2018

Description Field

• Brief description
• Sufficient information to evaluate significance
• Can include spaces and special characters
• Just no “|”s

© Caendra Inc. 2018

© Caendra Inc. 2018
Tools that can be used to create timelines:
• Windows Forensic Analysis Toolkit by Harlan Carvey
• http://code.google.com/p/winforensicaanalysis/downloads/list

• The Sleuthkit, using the fls and mactime commands

• The Log2timeline framework by Kristinn Gudjonsson

• New version written in Python called plaso

• Time Line Explorer, by Eric Zimmerman

© Caendra Inc. 2018

In this section, we will cover different ways of creating and viewing
timelines. Don’t forget to check the labs and videos.

The first one is using the directory export listing option in FTK
Imager.

© Caendra Inc. 2018

 The Directory Listing

© Caendra Inc. 2018

The Sleuthkit comes with useful tools to generate timelines. You can use
fls to first create a Bodyfile format:
fls -l -r -a -p -m 'C:’ image.dd > bodyfile.csv

© Caendra Inc. 2018

You can convert the Bodyfile into a timeline using mactime:
mactime -b bodyfile.csv -d > timeline.csv

© Caendra Inc. 2018

log2timeline

Kristinn Gudjonsson wrote a paper for SANS GCFA Gold, with a

framework for artifact timeline creation and analysis. Here’s
the general syntax:
log2timeline -z timezone -f plugin -r -w output-file mountpoint/

• -z timezone for the computer where the artifacts came

from
• -f plugin or plugin file to run against the file/directory
• -w specifies the output file
• -r work in recursive mode
© Caendra Inc. 2018
Log2timeline Usage Examples

You can specify what plugins to run and the output

format too. In the example below, the plugins used are
for analyzing EXIF information in files, file system
metadata (MFT) and PDF details. Also, we will be writing
the results to a bodyfile:

log2timeline -f exif,mft,pdf -o csv -r -w log2time.body

/mnt/mountpoint

© Caendra Inc. 2018

Another example:

log2timeline -z local -f win7 -w timeline.csv –r C:\

Specifying win7 will apply all the Windows 7 plugins.

Make sure to check the log2timeline help for information
on what the plugins used are.

© Caendra Inc. 2018

In the example below, we applied the ntuser plugin against a
specific user (Administrator) and specified the timezone to be
used.
log2timeline -z UTC -f ntuser –w timeline.csv –r
“C:\Documents and Settings\Administrator”

Remember, if you don’t know what time zone the system was
using, you must check the Windows Registry for that.

© Caendra Inc. 2018

Custom Plugin List

You can create a custom file with the .lst file extension
(e.g. custom.lst) and add all the required plugins to be
applied by log2timeline.

log2timeline -z UTC -f custom -w timeline.csv –r C:\

© Caendra Inc. 2018

 Sample of a
Super Timeline
created using
log2timeline.

© Caendra Inc. 2018

Harlan Carvey’s WFAT Tools:
There are a number of CLI tools that are used for analyzing Windows systems
and could be used to create targeted timelines. Here is a short list of the tools:
• Regtime
• Evtparse and Evtxparse
• Pref, Lnk, and Jl
• Logparser, which is a good tool to parse Windows Event Logs

A full list could be found here: https://github.com/keydet89/Tools

© Caendra Inc. 2018

TLN Format
The tools written by Harlan use the TLN format, which is a pipe “|”
delimited text file with 5 fields. They are:
Time | Source | System | User | Description

Since they are delimited, it makes them very easy to parse.

Something to keep in mind, is that the user and description fields
are relatively free form.

© Caendra Inc. 2018

Creating a Timeline
Using TSK and
Introduction to Timeline
Explorer

© Caendra Inc. 2018

© Caendra Inc. 2018
• MAC Times, http://forensicswiki.org/wiki/MAC_times
• Body File, http://wiki.sleuthkit.org/index.php?title=Body_file
• Time Zone Chart, http://www.cs.berkeley.edu/CT/ag4.0/appendid.htm
• Timeline Analysis, Harlan Carvey, http://windowsir.blogspot.com/2012/06/timeline-analysis.html
• http://digital-forensics.sans.org/blog/2011/12/07/digital-forensic-sifting-super-timeline-analysis-and-
creation
• https://groups.yahoo.com/neo/groups/win4n6/info
• Shellbags in Timelines, http://dfstream.blogspot.com/2012/01/including-shellbag-data-in-timelines.html
• Reviewing Timelines with Excel, http://journeyintoir.blogspot.com/2010/11/reviewing-timelines-with-
excel.html
• Colorized Supertimeline, http://digital-forensics.sans.org/blog/2012/01/25/digital-forensic-sifting-colorized-
super-timeline-template-for-log2timeline-output-files

© Caendra Inc. 2018