I like timelines, particularly when it comes to forensic investigations.
There I said it. The first step to addressing an issue is admitting that you have a problem.
I’ve been creating timelines since about 2008-ish, or so. I have a series of blog posts specifically on the topic of timeline analysis starting in Feb 2009, where I walk through some of the tools I used at the time to create timelines based on a 5-field “TLN” format that I developed…and still use to this day.
For example, take a look at this recent Huntress blog post regarding activity attributed to the group “MuddyWater”; the time-based information in the blog post has the “Z” stripped from the time stamp, and spacing reduced, but when I drafted parts of this blog post, those sections included timeline info.
Another example is this blog post published almost a decade ago when I was with SecureWorks, which is now owned by Sophos. Right there in Figure 1, you see a timeline excerpt in the same format I used for about 8 yrs prior to that point, and still use today.
Yes, things have changed over time. I developed eventmap to help me “tag” event records within a timeline to help separate events of interest from the noise, and I later developed Events Ripper to help develop pivot points within the timeline.
More recently, Lindsey and I published a Huntress blog based on an investigation into a threat actor’s activities that led up to ransomware being deployed. For my part, the investigation into the virtual machine (provided by the customer) involved many of the very same tools and techniques talked about in my books, going back over a decade and a half, or more. I created micro-timelines and overlays from various data sources (MFT, USN change journal, browser history, etc.), and much like the drawing of the armor from the first IronMan movie, once the individual pieces were aligned and laid over each other, the full picture came into view.
The Power of Timelines
The DFIR Spot recently published a blog post discussing the power of forensic timelines; the blog post references this LinkedIn post from Chris Brewer, and the first line of the LinkedIn post mentions “sniper incident response”, a clear nod to Chris Pogue‘s “sniper forensics“.
A timeline is a powerful tool, and not something that should be left to t
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
Read the original article: