SANS Digital Forensics and Incident Response Blog: Category - Timeline Analysis

Digital Forensics Case Leads: A Matter of Time

Time is of the essence this week. Several good resources expanding and extending the area of timline analysis have hit the interwebs, and you'll find them featured below in the Good Reads sections. In the news, Brian Krebs drops the names of other organizations penetrated by the RSA attackers. Meanwhile, NetAnalysis gets an update and … Continue reading Digital Forensics Case Leads: A Matter of Time


Atemporal time line analysis in digital forensics

As incident responders we often find that attackers compromise one host in a network and then pivot to others. In digital forensic investigations involving intrusions, we can do our own pivoting from one piece of evidence to another. On October 19th, I had the good fortune to speak at SECTor about one method of doing … Continue reading Atemporal time line analysis in digital forensics


Digital Forensics Case Leads: Registry Forensics, Volume Shadow Copies and Windows 8

It's the "better late than never" edition of Case Leads and I've got lots of great stuff for you this week. Lots of great articles and papers to read, including a very cool post by Andrew Case on recovering registry hives from a system that's been reformatted and had the OS reinstalled, as well as … Continue reading Digital Forensics Case Leads: Registry Forensics, Volume Shadow Copies and Windows 8


Shadow Timelines And Other VolumeShadowCopy Digital Forensics Techniques with the Sleuthkit on Windows

Creating Digital Forensic Filesystem Timelines From Multiple Windows Volume Shadow Copies

Introduction to Shadow Timelines:

This past weekend I was upgrading the SIFT Workstation to the new version and I realized I had not used the Windows version of the Sleuthkit tools in awhile. I usually demonstrate in class that many of the sleuthkit tools can work directly against the logical partitions of a Physical Hard Drive (e.g. \\.\\C:, \\.\\D:). It occurred to me that I had never tried to use the filesystem parser and timeline generator fls on a Windows Vista, Windows 7, or Windows 2008 Server ShadowCopyVolume.

We have known for some time now that you can image a Shadow Volume. I wrote a

...


Ultimate Windows Timelining

Recently, I was considering material for an internal knowledge transfer session on timelining, when it occurred to me that the subject matter was likely of broader interest, and so, without further ado... First, a note about the way I personally use timelines. I find them a great way to identify dated tidbits which one might … Continue reading Ultimate Windows Timelining