SANS Digital Forensics and Incident Response Blog: Tag - timelines

Building a complete timeline for intrusion cases

Anyone who has worked intrusion cases can tell you that they are a wholly different animal than classic pornography or computer abuse/misuse cases, yet our tools have grown out of a distinct need for the latter. Particularly fractured are the tools that enable the analyst to build timelines. Sure, we can sort event logs, or use mactime to get a readable dump of our filesystem metadata, but assembling a complete picture remains a struggle. Some products offer a bit more along these lines, such as Encase, but the barrier for entry in assembling disparate logs into a comprehensive timeline is high both in terms of financial funding and product-specific knowledge, vis Enscripts.

To address this need, I built Ex-Tip. Roughly named after "Extensible Timelines in Perl," Ex-Tip is really nothing more than a framework of input and output modules to normalize log data and sort by time. While it is currently