SANS Digital Forensics and Incident Response Blog: Category - Timeline Analysis

Digital Forensic SIFTing: SUPER Timeline Creation using log2timeline

This is a series of blog articles that utilize the SIFT Workstation. The free SIFT workstation, can match any modern forensic tool suite, is also directly featured and taught in SANS' Advanced Computer Forensic Analysis and Incident Response course (FOR 508). SIFT demonstrates that advanced investigations and responding to intrusions can be accomplished using cutting-edge … Continue reading Digital Forensic SIFTing: SUPER Timeline Creation using log2timeline


How to Make a Difference in the Digital Forensics and Incident Response Community

Over the years of teaching, I have found that there is no shortage of talent in our DFIR community. There are so many individuals that are incredibly sharp, truly skilled, and solving critical cases for their organizations. Sometimes we find that we become so focused on solving cases that we forget that we could figure … Continue reading How to Make a Difference in the Digital Forensics and Incident Response Community


Log2timeline Plugin Creation

About a year ago, I needed to add an Apache log to a supertimeline I was working on. I wrote a bash script to do this, as I was not familiar with perl at the time. I later went back and learned some basics of perl and converted it to my first log2tlimeline plugin. Since … Continue reading Log2timeline Plugin Creation


Outlier analysis in digital forensics

In my previous post, Atemporal time line analysis in digital forensics, I talked about using the inodes of a known piece of attacker code as a pivot point to discover previously unknown attacker code on a system. In this post, I want to point out another interesting thing about these inodes. Recall that I'm using … Continue reading Outlier analysis in digital forensics


Digital Forensics Case Leads: A Matter of Time

Time is of the essence this week. Several good resources expanding and extending the area of timline analysis have hit the interwebs, and you'll find them featured below in the Good Reads sections. In the news, Brian Krebs drops the names of other organizations penetrated by the RSA attackers. Meanwhile, NetAnalysis gets an update and … Continue reading Digital Forensics Case Leads: A Matter of Time