MAHARJAN-TECH

"Innovate, Implement, Inspire."

Forensics Part 3: Timelining the Intrusion — Connecting the Shadows

In the first two parts of our Forensics series, we collected Artifacts (Logs) and analyzed Ghosts (RAM). But right now, we just have a pile of evidence. To catch an intruder, a Mindful Architect must become a Chronologer.

An attack is not a single event; it is a sequence of moments. Timelining is the process of lining up every log, every file change, and every network connection on a single clock to see the “Story” of the intrusion.

1. The Super-Timeline (MFT & Event Logs)

We start by looking at the Master File Table (MFT). Every file on a Windows system has four primary timestamps: Modified, Accessed, Created, and Entry Modified (The MACE values).

By using tools like Plaso or Log2Timeline, we can combine these file timestamps with our Sysmon logs and Windows Event Logs.

  • The Goal: A single CSV file where every microsecond of activity is accounted for.
  • The Revelation: You might see that at 10:01:02 AM, a user logged in; at 10:01:05 AM, a PowerShell window opened; and at 10:01:10 AM, a sensitive PDF was “Accessed.”

2. Pivoting on a “Point of Origin”

A timeline allows you to “Pivot.” If you find a malicious file created at a specific time, you look at the 60 seconds before that creation.

  • Who was logged in?
  • What process spawned that file?
  • What website did the computer talk to right before it happened?

This is how we find Patient Zero—the original source of the infection.

3. The “Gap” Analysis

Sometimes, the most important part of a timeline is what isn’t there.

  • If there is a 10-minute gap where no logs exist, did the attacker clear the logs?
  • If a file was modified but there is no corresponding “Access” log, did they use a bypass tool?
  • The Lesson: In forensics, silence is often a scream.

[Image: A zoomed-in view of a forensic timeline (SANS SIFT workstation style) showing a sequence of malicious events]

The Architect’s Reflection

In our lives, we often look at our mistakes as isolated incidents. We say, “I just lost my temper” or “I just forgot that task.” But if we “Timeline” our own lives, we see a chain of causality. We see that the “lost temper” was preceded by three nights of poor sleep, a skipped breakfast, and a stressful email.

A Mindful Architect practices Causality Awareness.

Nothing in your city happens in a vacuum. Every “Incident” is the end of a long chain of smaller events. When you learn to see the timeline, you stop blaming “bad luck” and start seeing the Patterns. Once you see the pattern, you can break the chain.

The story of the past is the blueprint for a safer future.

Next in the Series: The Digital Post-Mortem — Healing the city and moving forward.

Can you see the chain? The first time you build a “Super-Timeline,” the sheer scale of data can be overwhelming. But stick with it—the moment the dots connect is the moment you truly become a Master Defender. Have you ever used Plaso to build a timeline? Let’s share tips in the comments!

Tags: #Plaso #Timelining #DFIR #IncidentResponse #ActiveDirectory #CyberSecurity.

Leave a Reply

Your email address will not be published. Required fields are marked *