SANS Digital Forensics and Incident Response Blog: Category - Timeline Analysis

Digital Forensics Case Leads: Bulk_extractor how-to, Verizon Report, FTK review, China prime suspect in RSA and other incidents

In this week's edition of Case Leads we have a how-to for Bulk_extractor's find feature, first impressions on the new database options in FTK, an extension for log2timeline for parsing the cache in Firefox, the Verizon data breach report, and statements by current and former US government officials about Stuxnet and China. If you have … Continue reading Digital Forensics Case Leads: Bulk_extractor how-to, Verizon Report, FTK review, China prime suspect in RSA and other incidents


Digital Forensics SIFT'ing: Cheating Timelines with log2timeline

Hopefully at one point in time everyone has experienced the enjoyment of a teacher that allowed them to use a "cheat sheet" on a test. For the unfamiliar, the concept is simple; take an 8.5 x 11" piece of paper, cram as much information as you can on both sides, and use it as an … Continue reading Digital Forensics SIFT'ing: Cheating Timelines with log2timeline


Digital Forensic SIFTing: SUPER Timeline Creation using log2timeline

This is a series of blog articles that utilize the SIFT Workstation. The free SIFT workstation, can match any modern forensic tool suite, is also directly featured and taught in SANS' Advanced Computer Forensic Analysis and Incident Response course (FOR 508). SIFT demonstrates that advanced investigations and responding to intrusions can be accomplished using cutting-edge … Continue reading Digital Forensic SIFTing: SUPER Timeline Creation using log2timeline


How to Make a Difference in the Digital Forensics and Incident Response Community

Over the years of teaching, I have found that there is no shortage of talent in our DFIR community. There are so many individuals that are incredibly sharp, truly skilled, and solving critical cases for their organizations. Sometimes we find that we become so focused on solving cases that we forget that we could figure … Continue reading How to Make a Difference in the Digital Forensics and Incident Response Community


Log2timeline Plugin Creation

About a year ago, I needed to add an Apache log to a supertimeline I was working on. I wrote a bash script to do this, as I was not familiar with perl at the time. I later went back and learned some basics of perl and converted it to my first log2tlimeline plugin. Since … Continue reading Log2timeline Plugin Creation