Timelines

I like timelines, particularly when it comes to forensic investigations. 

There I said it. The first step to addressing an issue is admitting that you have a problem.

I've been creating timelines since about 2008-ish, or so. I have a series of blog posts specifically on the topic of timeline analysis starting in Feb 2009, where I walk through some of the tools I used at the time to create timelines based on a 5-field "TLN" format that I developed...and still use to this day.

For example, take a look at this recent Huntress blog post regarding activity attributed to the group "MuddyWater"; the time-based information in the blog post has the "Z" stripped from the time stamp, and spacing reduced, but when I drafted parts of this blog post, those sections included timeline info. 

Another example is this blog post published almost a decade ago when I was with SecureWorks, which is now owned by Sophos. Right there in Figure 1, you see a timeline excerpt in the same format I used for about 8 yrs prior to that point, and still use today. 

Yes, things have changed over time. I developed eventmap to help me "tag" event records within a timeline to help separate events of interest from the noise, and I later developed Events Ripper to help develop pivot points within the timeline. 

More recently, Lindsey and I published a Huntress blog based on an investigation into a threat actor's activities that led up to ransomware being deployed. For my part, the investigation into the virtual machine (provided by the customer) involved many of the very same tools and techniques talked about in my books, going back over a decade and a half, or more. I created micro-timelines and overlays from various data sources (MFT, USN change journal, browser history, etc.), and much like the drawing of the armor from the first IronMan movie, once the individual pieces were aligned and laid over each other, the full picture came into view.

The Power of Timelines
The DFIR Spot recently published a blog post discussing the power of forensic timelines; the blog post references this LinkedIn post from Chris Brewer, and the first line of the LinkedIn post mentions "sniper incident response", a clear nod to Chris Pogue's "sniper forensics".

A timeline is a powerful tool, and not something that should be left to the end of the engagement, where an analyst manually fills in a spreadsheet, because they have to. Rather, for me, a timeline has always been the first step in an engagement (yes, *after* collecting data sources). Timelines are incredible investigative tools, providing insight into activity and timing, as well as providing context. 

A timeline can help direct the analyst to other data sources; if those data sources aren't available, that fact gets documented, as it can apply to control efficacy.