Home > Digital Forensics

Building an Incident Timeline

Building an incident timeline is one of the most important steps in digital forensics and incident response. A timeline visualizes the attacker’s actions, the system’s behavior, and the victim’s activity in chronological order. This helps investigators understand how the compromise started, how the attacker moved, what data was accessed, and where to focus remediation.

Why Incident Timelines Matter

A well-built timeline reveals:

  • Initial access

  • Privilege escalation

  • Persistence mechanisms

  • Lateral movement

  • Data staging or exfiltration

  • Malware execution

  • Cleanup attempts

  • Command sequences

Timelines turn scattered logs into a coherent narrative of the attack.

Sources of Evidence Used for Timeline Creation

Timelines are created by combining many different artifacts.

System & OS Logs

Examples:

  • Windows Event Logs

  • Linux auth logs

  • macOS Unified Logs

  • Sysmon

Useful for:

  • Logon activity

  • Process creation

  • Service manipulation

Disk Artifacts

From:

  • Master File Table (MFT)

  • Registry hives

  • LNK files

  • Jump Lists

  • Browser artifacts

  • Prefetch files

These show:

  • Program executions

  • File access patterns

  • User behavior

Network Evidence

Includes:

  • DNS logs

  • Firewall logs

  • Proxy logs

  • PCAP captures

  • IDS/IPS alerts

Shows:

  • C2 connections

  • Beaconing

  • Exfiltration

  • Lateral movement

Memory Evidence

From:

  • Volatility

  • Rekall

  • EDR memory dumps

Shows:

  • Injected code

  • Active malware

  • Unlinked processes

Cloud Logs

Such as:

  • AWS CloudTrail

  • Azure Activity Logs

  • GCP Audit Logs

Shows:

  • IAM changes

  • API misuse

  • Storage access

Application Logs

From:

  • Web servers

  • Databases

  • VPN systems

  • Email servers

Shows:

  • Failed login attempts

  • Suspicious uploads

  • SQL injection indicators

Steps to Build an Incident Timeline

1. Collect All Relevant Evidence

Gather logs and artifacts from:

  • Endpoints

  • Servers

  • Network devices

  • Cloud services

  • Memory images

  • Disk images

Avoid modifying evidence and maintain chain of custody.

2. Normalize Log Formats

Different evidence formats must be converted into a unified structure:

  • Timestamp

  • Event description

  • Source system

  • User or process

  • IP addresses

  • Additional metadata

Tools like Plaso, Timesketch, KAPE, and ELK help normalize data.

3. Convert Artifacts into Time-Based Records

Examples:

  • Extract MAC times from file systems

  • Parse registry last-write timestamps

  • Convert EVTX logs to CSV

  • Extract Sysmon event timestamps

  • Map DNS query times

Every record gets a timeline entry.

4. Merge Events Chronologically

Sort all events by timestamp:

  • Oldest → newest

  • Or phase-based ordering

Merging exposes attacker activity hidden across multiple systems.

5. Identify Key Moments in the Attack

Mark important events such as:

  • Initial compromise

  • First execution

  • Privilege escalation

  • Credential access

  • Lateral movement

  • Persistence installation

  • Data collection

  • Exfiltration

  • Cleanup or log deletion

These form the backbone of the timeline.

6. Correlate Across Multiple Sources

Correlation reveals:

  • Same user logging into different machines

  • Same IP interacting with multiple services

  • Malware process spawning child processes

  • A change in IAM followed by suspicious API calls

Cross-source correlation confirms the attacker’s path.

7. Visualize the Timeline

Use tools like:

  • Timesketch

  • Kibana

  • Excel

  • Plaso output

  • ELK dashboards

  • Maltego event chains

Visualization makes patterns obvious.

8. Validate and Refine the Timeline

Check for:

  • Gaps

  • Time skew

  • Missing logs

  • Duplicate entries

  • Incorrect timezone handling

Timestamps must be normalized to a single timezone.

9. Create a Narrative Summary

Write a concise narrative describing:

  • How the attacker entered

  • What they did at each stage

  • What data was affected

  • When the attack was discovered

  • How the system responded

This narrative is included in the final incident report.

Common Timeline Indicators to Look For

  • Repeated authentication failures

  • New user accounts or role changes

  • Suspicious process creation

  • Remote connections at odd hours

  • Sudden file encryption

  • Large volumes of file reads

  • DNS queries to unusual domains

  • Disabled security tools

  • Deleted logs

These signal malicious activity.

Tools for Building Incident Timelines

Plaso / log2timeline

Combines multiple evidence sources into a unified timeline.

Timesketch

Searchable, collaborative timeline analysis.

ELK Stack

Large-scale timeline and log analytics.

KAPE

Creates triage timelines from Windows systems.

Autopsy / The Sleuth Kit

Builds bodyfile timelines from disk images.

Excel / CSV Analysis

Simple but effective for manual timeline work.

Intel Dump

  • Incident timelines merge data from OS logs, disk artifacts, network captures, memory images, cloud logs, and application logs.

  • Steps include collecting evidence, normalizing formats, extracting time-based events, sorting chronologically, correlating across sources, and visualizing the final sequence.

  • Key events include initial access, execution, persistence, privilege escalation, lateral movement, staging, exfiltration, and cleanup.

  • Tools like Plaso, Timesketch, ELK, KAPE, and Autopsy help automate and visualize timeline creation.

HOME COMMUNITY CAREERS DASHBOARD