Forensics & IR
Timeline Analysis
Also known as: Super timeline, Forensic timeline
Definition
A forensic technique that reconstructs a chronological sequence of system events by correlating timestamps from filesystem, registry, log, and application artifacts.
Timeline analysis aggregates time-stamped artifacts — MFT entries, $LogFile, prefetch, registry hives, browser history, event logs, and application traces — into a unified chronological view that helps investigators establish what happened, when, and in what order. Analysts typically generate a "super timeline" with tools such as Plaso/log2timeline and then triage it in Timeline Explorer, Timesketch, or ELK. The technique is essential for scoping incidents, identifying initial access, lateral movement, and data exfiltration, and for building defensible narratives. Practitioners must account for clock skew, timezone normalization (usually UTC), and timestomping by adversaries to avoid misleading conclusions.
Examples
- Generating a Plaso super timeline from a disk image to identify the first execution of a suspicious binary.
- Correlating Windows Security event 4624 logons with prefetch entries to track an attacker's session.
Related terms
Digital Forensics
The scientific discipline of identifying, preserving, analysing, and reporting on digital evidence from computers, networks, and devices in a legally defensible way.
Artifact Analysis
Artifact Analysis — definition coming soon.
Log Analysis
Log Analysis — definition coming soon.
Windows Registry Analysis
Windows Registry Analysis — definition coming soon.
Disk Forensics
The analysis of non-volatile storage media — HDDs, SSDs, USB drives — to recover, examine, and interpret file-system, application, and operating-system artefacts.
Anti-Forensics
Anti-Forensics — definition coming soon.