SANS Digital Forensics and Incident Response Blog

Digital Forensics SIFT'ing: Cheating Timelines with log2timeline

Hopefully at one point in time everyone has experienced the enjoyment of a teacher that allowed them to use a "cheat sheet" on a test. For the unfamiliar, the concept is simple; take an 8.5 x 11" piece of paper, cram as much information as you can on both sides, and use it as an open reference for a test. The key was not only to put as much information as you could fit on the two-sided document, but for that information to be neatly organized and readily accessible so you could quickly reference information and articulate answers before the test clock ran out.

Without hesitation, it can be challenging to memorize commands and too consuming at other times to search through #DFIR resources (online resources, books, notes, contacts, and etc) to answer questions like "Is there an alternative to mounting split .e01 image in SIFT workstation if fails?" or "How do I create a GREP statement that shows me all sources in a timeline?"

It was not long until I found myself taking the "cheating" outside of school and into my #DFIR career. Within months I found it instrumental to create cheat sheets for all types of tools and processes including imaging using dc3dd, GREP expression examples, exporting mailboxes using Microsoft Exchange cmdlets, and etc. At first I thought it was a great personal resource, but then everyone who saw them wanted a copy! I found that beginners used them as guides and experts liked them to reference the command they rarely used.

As a novice user of "off the shelf" forensic products, I naturally gravitated to the SANS SIFT workstation when I heard about its capabilities (and NO cost!). It was great to see an open source initiative in the #DFIR community, such as log2timeline, that had features in some respect that would only be expected from expensive off the shelf products.

After reading Rob Lee's blog titled, "How to Make a Difference in the Digital Forensics and Incident Response Community" I thought to myself, perhaps if I created a cheat sheet for log2timeline it would make a difference? You be the judge. At the #SANS360 event in DC I released what will hopefully be one of many cheat sheets to come.

  • On the front side there is a basic checklist of items that can be considered when building an analysis work plan prior to performing computer forensic analysis

  • On the back there is a simple workflow for how to use SIFT and log2timeline to produce, filter, and review timelines.

>>>> Download the PDF version of this cheat sheet (Rick Click and click Save As)

Note: It's intended to be printed in color, double-sided and laminated. Credits to Ed Goings, Rob Lee, Kristinn Gudjonsson, and SANS for content.

About author:

David Nides is a Senior in KPMG's Forensic Technology Services practice in Chicago, IL. He currently plays a lead role in KPMG's national Incident Response team consulting clients globally in APT, data breach, and other cyber crime investigations. You can follow David on twitter @davnads or at his forensic blog.


Posted December 17, 2011 at 3:59 AM | Permalink | Reply


Great job!!! Congrats!!!

Posted December 19, 2011 at 5:33 PM | Permalink | Reply

Chad Tilbury

Great job David!

Posted January 19, 2012 at 11:19 PM | Permalink | Reply


Thanks for composing and sharing the SIFT'ing cheatsheet. Looks great.

Posted February 22, 2012 at 3:25 AM | Permalink | Reply


I like this. Just as you say, it helps me organize the ideas. Thanks!

Posted March 19, 2012 at 1:55 PM | Permalink | Reply


Thanks everyone for the feedback. Let me know if you would like to see any edits/additions for future versions. Thanks!

Posted March 19, 2012 at 10:28 AM | Permalink | Reply


As someone who tried to do the same thing and failed miserably I have to congratulate you. This is simply FANTASTIC. If you're more or less new in the field (like myself) this is invaluable. As digital forensics investigator your actions and reports can have substantial consequences on someones life. You cannot do a half-assed job. This checklist makes sure you cover everything.

Posted November 1, 2012 at 6:01 PM | Permalink | Reply


Nice job but there are warnings related to output to file in line 400 due to apparent Unicode processing issues which can easily be fixed.
The warning
"Wide character in print at /usr/bin/log2timeline-sift line 400"
The Fix
my $ofile = $store_point . ''/' . $file_name . ''_bodyfile.txt';
open( TF, ">:utf8", $ofile) or die( ''Unable to create the bodyfile '' . $store_point . ''/' . $file_name . ''_bodyfile.txt, not enough access rights?');

Posted May 20, 2014 at 2:45 PM | Permalink | Reply


Nothing short of awesome. As a practitioner with 5 years experience, this is still an invaluable for old and new. Thanks for sharing.