Timeline construction using OS and memory artifacts integrates timestamps from diverse sources like file metadata, event logs, registry entries, and RAM structures to create chronological event sequences that reveal incident progression, attacker actions, and system behaviors.
This process merges disk-based persistence evidence with volatile runtime data, enabling investigators to correlate activities across acquisition phases for comprehensive reconstruction.
Principles of Timeline Construction
Timelines order events by extracting and normalizing timestamps from multiple artifacts, filtering noise to highlight relevant sequences.
Extract MACB (Modified, Accessed, Changed, Born) times from filesystems, event IDs from logs, and creation offsets from memory. Normalization converts formats (FAT vs. NTFS epochs); super timelines combine all into single views with color-coding by source.
Tools prioritize anomalies via filtering (e.g., unknown processes during breach window).
Key OS Artifacts for Timelines
OS structures provide foundational timestamps linking user actions to system states.
Correlate across: File creation (MFT) → Execution (Prefetch) → Network logon (auth.log).
Memory Artifacts in Timeline Integration
RAM dumps contribute runtime context absent from disk.
Process creation times from _EPROCESS lists align with disk prefetch; network sockets show active C2 during file modifications. Volatility plugins (pslist, netscan) export timestamps; merge with disk super timelines via epoch conversion. Detects short-lived malware missed by logs.
Memory-specific:
1. VAD trees: DLL loads correlating to injected code timestamps.
2. Socket states: Connection establishment vs. exfiltration logs.
Tools and Workflow for Super Timelines
Automated pipelines generate unified views from heterogeneous sources.
1. Acquisition: Disk image + RAM dump.
2. Parsing: Plaso/log2timeline extracts bodyfile (time, source, desc).
3. Timeline Generation: psort filters by window; Timeline Explorer visualizes.
4. Analysis: Color-code (green=normal, red=suspicious); zoom to anomalies.
5. Correlation: Link memory process PID to disk event ID.
Commercial: Magnet AXIOM, EnCase integrate memory modules.
Practical Application and Challenges
Timelines answer "what happened when" in breaches.
Ransomware example: Memory socket (Tier 2 volatile) → Prefetch execution → MFT encryption timestamps → Event 7045 service install. Challenges: Clock skew, timezone mismatches, anti-forensics (timestomping)—mitigate via multi-source validation and anomaly baselines.
Layered approach: Macro (days) → Micro (hours) zoom reveals sequences; export for reports with screenshots.
Class Sessions
Sales Campaign
We have a sales campaign on our promoted courses and products. You can purchase 1 products at a discounted price up to 15% discount.