RSS Feed

Timeline Analysis ⏱

Created: 18.11.2020


Below is the skeleton from SAN508 course description. I am using it to make up my study plan. For each step of this plan I estimate my current level of training and I am also collecting resourced for this topic under Resources.

🫑 - level 0. I know nothing and not even where to start. I might have some embarrassingly fundamental knowledge which is not good enough even for the start.

🥒 - level 1. I know something about the subject, but this only gives me an approximate plan and kind of things to look for.

🥗 - level 2. I know something about the subject, I’ve even read something about it. But no hands-on eperience.

🌮 - level 3. I know quite a lot about the subject, I’ve read something about it and some hands-on eperience.

🥘 - level 4. I know a lot about the subject and quite a decent experience. This one I will only use when I am done preparing and have the first mock exam. Bonus - 🍭 real-life expreience (not just labs).

🗒- Topic specific plan. 👌-done, 🚧 - in progress

🗂 - references and resources.

🎯- objectives.

🏺- artifacts

🛠 - tools to learn/use.


  • Detecting malware defense evasion techniques
  • Using timeline analysis, track adversary activity by hunting an APT group’s footprints of malware, lateral movement, and persistence
  • Target hidden and time-stomped malware and utilities that advanced adversaries use to move in the network and maintain their presence
  • Track advanced adversaries’ actions second-by-second through in-depth super-timeline analysis
  • Observe how attackers laterally move to other systems in the enterprise by watching a trail left in filesystem times, registry, event logs, shimcache, and other temporal-based artifacts
  • Learn how to filter system artifact, file system, and registry timelines to target the most important data sources efficiently


Timeline analysis will change the way you approach digital forensics, threat hunting, and incident response…forever.

Learn advanced incident response and hunting techniques uncovered via timeline analysis directly from the authors who pioneered timeline analysis tradecraft. Temporal data is located everywhere on a computer system. Filesystem modified/access/creation/change times, log files, network data, registry data, and browser history files all contain time data that can be correlated and analyzed to rapidly solve cases. Pioneered by Rob Lee as early as 2001, timeline analysis has grown to become a critical incident response, hunting, and forensics technique. New timeline analysis frameworks provide the means to conduct simultaneous examinations on a multitude of systems across a multitude of forensic artifacts. Analysis that once took days now takes minutes.

This section will step you through two primary methods of building and analyzing timelines used during advanced incident response, threat hunting, and forensic cases. Exercises will show analysts how to create timelines and how to introduce the key analysis methods necessary to help you use those timelines effectively in your cases.

Malware Defense Evasion and Detection

  • Indicators of Compromise - YARA
  • Entropy and Packing Analysis
  • Executable Anomalies
  • Digital Signature Analysis

Timeline Analysis Overview

  • Timeline Benefits
  • Prerequisite Knowledge
  • Finding the Pivot Point
  • Timeline Context Clues
  • Timeline Analysis Process

Filesystem Timeline Creation and Analysis

  • MACB Meaning by Filesystem
  • Windows Time Rules (File Copy versus File Move)
  • Filesystem Timeline Creation Using Sleuthkit and fls
  • Bodyfile Analysis and Filtering Using the mactime Tool

Super Timeline Creation and Analysis

  • Super Timeline Artifact Rules
  • Program Execution, File Knowledge, File Opening, File Deletion
  • Timeline Creation with log2timeline/Plaso
  • log2timeline/ Plaso Components
  • Filtering the Super Timeline Using psort
  • Targeted Super Timeline Creation
  • Super Timeline Analysis Techniques
  • Scaling Super Timeline Analysis


[1] About some APT groups

[2] Practical Malware Analysis book