Timeline Analysis
What is Timeline Analysis?
Timeline AnalysisA forensic technique that reconstructs the chronological sequence of events on a system by correlating timestamps from files, logs, and other artifacts.
Timeline analysis aggregates time-stamped data from filesystem metadata (MACB times), event logs, registry hives, browser history, prefetch files, and application traces into a single ordered view. Investigators use it to determine when an intrusion began, which files were created or modified, and how the attacker moved through the environment. Common tools include log2timeline/Plaso, which produces a super-timeline, along with Autopsy, MFTECmd, and KAPE. Analysts must account for time-zone offsets, clock skew, and timestomping, and typically validate findings against multiple independent sources. Timeline reconstruction is central to NIST SP 800-86 incident-response workflows.
● Examples
- 01
Building a Plaso super-timeline of a compromised Windows server to identify the first execution of a malicious binary.
- 02
Correlating EVTX logon events with $MFT creation times to confirm lateral movement.
● Frequently asked questions
What is Timeline Analysis?
A forensic technique that reconstructs the chronological sequence of events on a system by correlating timestamps from files, logs, and other artifacts. It belongs to the Forensics & IR category of cybersecurity.
What does Timeline Analysis mean?
A forensic technique that reconstructs the chronological sequence of events on a system by correlating timestamps from files, logs, and other artifacts.
How do you defend against Timeline Analysis?
Defences for Timeline Analysis typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for Timeline Analysis?
Common alternative names include: Super-timeline analysis, Forensic timelining.