Building a forensic timeline is one of the most important steps in incident investigation. A well-constructed timeline allows investigators to understand what happened, when it happened, and how the attacker moved through the system. Timelines combine evidence from logs, file metadata, memory artifacts, browser data, and system events to form a clear chronological narrative of the intrusion.

This chapter explains the sources of timeline data, how to parse and correlate events, and how forensic analysts reconstruct attacks from scattered artifacts.

What Is a Forensic Timeline?

A forensic timeline is a chronological sequence of events collected from digital evidence.
It shows:

User actions
Malware activity
System changes
File modifications
Network events
Authentication attempts
Persistence creation
Data exfiltration steps

A timeline reveals patterns that individual artifacts cannot.

Goals of Timeline Analysis

Reconstruct attacker behavior
Understand initial entry point
Identify lateral movement
Trace file creation/modification
Detect persistence and malware execution
Correlate logs from different sources
Validate or refute hypotheses
Establish legal evidence sequence

Sources of Timeline Evidence

Forensic timelines rely on many independent data points across the system.

1. File System Timestamps

MAC times (Modified, Accessed, Created):

NTFS: Created, Modified, Accessed, Entry Modified
EXT4/APFS: Varies by system
Evidence of file creation, execution, deletion, staging

Tools:

FTK Imager
Autopsy
Sleuth Kit (mactime)

2. System Logs

Logs provide timestamped records of system activity.

Windows:

Security logs
Event logs (4624 logon, 4688 process creation)
PowerShell logs
Sysmon events

Linux:

/var/log/auth.log
/var/log/syslog
Systemd journal

macOS:

Unified logs
TCC database
LaunchServices

Logs reveal authentication attempts, command execution, crashes, privilege escalation, and system failures.

3. Memory Artifacts

Memory dumps contain:

Running processes
Network connections
Injection timestamps
Process start times
Malicious threads
Command-line history

Memory provides “snapshot moments” vital for timeline gaps.

4. Browser & Application Artifacts

Sources include:

Browser history & cache
Downloads
Cookie timestamps
Cloud sync activity
Messaging timestamps

Useful for phishing, credential theft, and user activity reconstruction.

5. Persistence Indicators

Timeline entries include:

Creation of scheduled tasks
New services installed
Registry run keys created
New cron files
LaunchAgents added

These show how and when persistence was established.

6. Network Logs

Network data reveals:

Connections to C2 servers
DNS requests
Beacon intervals
Exfiltration events
Remote login attempts

Pairing network timestamps with host activity exposes attacker movements.

7. External Logs (Cloud / Firewall / SIEM)

Cloud (AWS, Azure, GCP):

API calls
IAM changes
Login events

Firewall / IDS:

Blocked connections
Traffic anomalies

These extend the event chain beyond the endpoint.

How to Build a Forensic Timeline

Step 1: Collect Timestamped Events

Gather all available timestamps from:

File metadata
Event logs
Memory analysis
Browser data
Registry keys
Network packets
Application logs

Merge everything into a single dataset.

Step 2: Normalize Timestamps

Different sources use:

UTC
Local time
Epoch time
UNIX timestamps
FILETIME (Windows)

Normalize all timestamps into one standard (e.g., UTC).

Step 3: Correlate Events

Look for event relationships:

Process creation → registry modification → network connection
File creation → execution → deletion
Login event → lateral movement → privilege escalation

Correlation exposes attacker patterns.

Step 4: Identify Anomalies

Examples:

Logons at unusual times
Rapid creation of multiple files
Execution of unsigned binaries
Connections to rare foreign IPs
Processes launching outside normal working hours

Anomalies point directly to malicious behavior.

Step 5: Reconstruct the Attack Chain

Typical timeline sequences:

Initial Access

Phishing email → malicious document → payload drop

Execution

User opens file → process spawns → injector loads DLL

Persistence

Service created → registry key added → cron job installed

Lateral Movement

New credentials → remote login → file transfer

Exfiltration

DNS tunnels → HTTP POST → cloud storage uploads

Cleanup

Log clearing → file deletion → timestamp manipulation

A full timeline provides the complete narrative.

Tools Used for Timeline Analysis

Sleuth Kit & Autopsy

mactime
l2t_csv.py

log2timeline (Plaso)

Unified timeline creator
Parses thousands of artifact types

Timesketch

Powerful web UI for timeline visualization
Collaboration and tagging

Elastic / Splunk

Great for ingesting large event volumes

Memory Forensics (Volatility)

Process start times
Network artifacts

Timeline Analysis Best Practices

Always convert timestamps to the same time zone
Maintain an evidence worksheet
Mark events as benign, suspicious, or malicious
Validate every assumption using multiple artifacts
Watch for timestamp tampering
Correlate logs with memory artifacts
Include both user and system activity
Create multiple timeline layers (host, network, cloud)

Intel Dump

A forensic timeline is a chronological reconstruction of events from logs, file system metadata, memory artifacts, network traffic, and cloud/system activity.
Sources include MAC times, Windows event logs, syslogs, browser data, persistence artifacts, memory processes, network logs, and cloud audit records.
Building a timeline requires collecting timestamps, normalizing them to a single format, correlating related events, and identifying anomalies.
Tools such as Sleuth Kit, Plaso, Timesketch, Volatility, Elastic, and Autopsy help generate timelines across large datasets.
A well-built timeline reveals initial access, execution, persistence, lateral movement, privilege escalation, exfiltration, and cleanup stages of an attack.

Building a Forensic Timeline