homepage
Menu
Open menu
  • Training
    Go one level top Back

    Training

    • Courses

      Build cyber prowess with training from renowned experts

    • Hands-On Simulations

      Hands-on learning exercises keep you at the top of your cyber game

    • Certifications

      Demonstrate cybersecurity expertise with GIAC certifications

    • Ways to Train

      Multiple training options to best fit your schedule and preferred learning style

    • Training Events & Summits

      Expert-led training at locations around the world

    • Free Training Events

      Upcoming workshops, webinars and local events

    • Security Awareness

      Harden enterprise security with end-user and role-based training

    Featured: Solutions for Emerging Risks

    Discover tailored resources that translate emerging threats into actionable strategies

    Risk-Based Solutions

    Can't find what you are looking for?

    Let us help.
    Contact us
  • Learning Paths
    Go one level top Back

    Learning Paths

    • By Focus Area

      Chart your path to job-specific training courses

    • By NICE Framework

      Navigate cybersecurity training through NICE framework roles

    • DoDD 8140 Work Roles

      US DoD 8140 Directive Frameworks

    • By European Skills Framework

      Align your enterprise cyber skills with ECSF profiles

    • By Skills Roadmap

      Find the right training path based on critical skills

    • New to Cyber

      Give your cybersecurity career the right foundation for success

    • Leadership

      Training designed to help security leaders reduce organizational risk

    • Degree and Certificate Programs

      Gain the skills, certifications, and confidence to launch or advance your cybersecurity career.

    Featured

    New to Cyber resources

    Start your career
  • Community Resources
    Go one level top Back

    Community Resources

    Watch & Listen

    • Webinars
    • Live Streams
    • Podcasts

    Read

    • Blog
    • Newsletters
    • White Papers
    • Internet Storm Center

    Download

    • Open Source Tools
    • Posters & Cheat Sheets
    • Policy Templates
    • Summit Presentations
    • SANS Community Benefits

      Connect, learn, and share with other cybersecurity professionals

    • CISO Network

      Engage, challenge, and network with fellow CISOs in this exclusive community of security leaders

  • For Organizations
    Go one level top Back

    For Organizations

    Team Development

    • Why Partner with SANS
    • Group Purchasing
    • Skills & Talent Assessments
    • Private & Custom Training

    Leadership Development

    • Leadership Courses & Accreditation
    • Executive Cybersecurity Exercises
    • CISO Network

    Security Awareness

    • End-User Training
    • Phishing Simulation
    • Specialized Role-Based Training
    • Risk Assessments
    • Public Sector Partnerships

      Explore industry-specific programming and customized training solutions

    • Sponsorship Opportunities

      Sponsor a SANS event or research paper

    Interested in developing a training plan to fit your organization’s needs?

    We're here to help.
    Contact us
  • Talk with an expert
  • Log In
  • Join - it's free
  • Account
    • Account Dashboard
    • Log Out
  1. Home >
  2. Blog >
  3. Artifact Timeline Creation and Analysis - part 2
Kristinn Guðjónsson

Artifact Timeline Creation and Analysis - part 2

August 14, 2009

In the last post I talked about the tool log2timeline, and mentioned a hypothetical case that we are working on. Let's explore in further detail how we can use the tool to assist us in our analysis.

How do we go about collecting all the data that we need for the case? In this case we know that the we were called to investigate the case only hours after the alleged policy violation, so timeline can be a very valuable source. Therefore we decide to construct a timeline, using artifacts found in the system to start our investigation, so that we can examine the evidence with respect to time. By doing that we both get a better picture of the events that occurred as well as to possibly lead us to other artifacts that we need to examine closer using other tools and techniques.

To begin with you start by imaging the drive. You take an image of the C drive (first partition) and start working on the image on your analysis workstation. The first step is to create a traditional filesystem timeline you can refer to the already posted blog here. 

Or for a quick reference, you can execute the following commands to get the filesystem timeline (assuming that the image name is suspect_drive.dd):

After creating the traditional filesystem timeline we need to incorporate artifacts into it. To do that we need to mount the suspect drive, for instance by issuing this command:

mkdir /mnt/analyzemount.ntfs-3g -o ro,nodev,noexec,show_sys_files,loop /analyze/suspect_drive.dd /mnt/analyze

Now the suspect drive is mounted as a read-only so we can inspect some of the artifacts found on the system.

cd /mnt/analyze/WINDOWS/Prefetchlog2timeline -f prefetch . >> /tmp/bodyfile

We start by navigating to the Prefetch directory, which stores information about recently started programs (created to speed up boot time of those processes) and run the tool against the Prefetch directory. The output is then stored in the same bodyfile as the traditional file system timeline. Then we navigate to the user that we are taking a closer look at to examine the UserAssist (stores information about recently run processes by that user) part of the user's registry.

cd /mnt/analyze/Documents and Settings/joelog2timeline -f userassist NTUSER.DAT >> /tmp/bodyfile

Now we have incorporated information found inside a particular user in the bodyfile. Next we examine the recycle bin

cd /mnt/analyze/RECYCLERlog2timeline -f recycler INFO2 >> /tmp/bodyfile

We also want to examine restore information, that is information found inside the restore points (creation time of restore points):

cd /mnt/analyze/System Volume Information/_restore{A4195436-6BCB-468A-8B2F-BEE5EB150433}/log2timeline -f restore . >> /tmp/bodyfile

Since we are suspecting that the user Joe opened few documents we also want to examine the recent document folder of the user, so we incorporate information found inside Windows shortcut files into our case:

cd /mnt/analyze/Documents and Settings/joe/Recentls -b *.lnk | while read d; do log2timeline -f win_link "$d"; done

We also find out by examining "Program Files" folder (or by examining registry) that the Firefox browser is installed on the workstation (which is not allowed according to corporate policies). So we add Firefox history into our timeline as well.

cd /mnt/analyze/Documents and Settings/joe/Application Data/Mozilla/Firefox/Profiles/dgml8g3t.default/log2timeline -f firefox3 places.sqlite >> /tmp/bodyfile

Now we are ready to examine the timeline a little bit closer. To modify the bodyfile into a useful timeline we use the tool mactime from TSK (The SleuthKit):

mactime -b /tmp/bodyfile 2009-08-01..2009-08-05 > /tmp/timeline

And now we can start examining the timeline itself. If we look at August 04 (which is the date that the HR department gave up as a possible date) we see from the information gathered in UserAssist that the user Joe ran the browser Internet Explorer at 15:13:42, which is confirmed by update of the access time of IEXPLORE.EXE file one second later.

At 15:13:53 a Prefetch file is created for Internet Explorer and as indicated inside the Prefetch file Internet Explorer was last run at 15:13:43 (and has been run 11 times on this machine). This can be seen on the timeline below:

The tool log2timeline does not support index.dat files (at the time of this writing, although it will very soon), so for timeline analysis we have to rely on traditional file system analysis. We can see that the cookie joe@mozilla[1].txt was created at 15:14:48, suggesting that the user Joe visited the size Mozilla.org.

We then see that the user joe created the file "joe@download.mozilla[1].txt" at 15:14:49, indicating that the user may have downloaded Mozilla browser (or Firefox).

This can then be confirmed by looking in the timeline from 15:16:10 where we see that Firefox is being set up on the machine. We can then say that the user Joe has most likely installed Firefox on the machine.

Out suspicion that the user Joe had installed Firefox is then further strengthen when we see that a Firefox user profile is created at 15:16:11 inside Joe's user directory.

And if we take a look at the Prefetch folder we see that Firefox was indeed set up on this machine, since we see that "FIREFOX SETUP 3.5.2[2].EXE" was run. Firefox setup was run at 15:16:08 according to information found inside the Prefetch file.

We can then see that the Firefox browser was being run at 15:16:56 (last time it was run) and that it has been run three times. This can be seen from the Prefetch part of the timeline.

Next in the timeline we can see Firefox 3 history, glanced from the places.sqlite file. We see that when the user Joe opened up Firefox the default start page was run (the default page is Google, and since the language of the suspect machine is Icelandic, we are using the Icelandic version of Google, google.is)

We then see that the user Joe ran a Google search at 15:17:43. The search terms were: "how to delete files", hmm this might be interesting.. We then see that the user navigated to the site: "www.cybertechhelp.com/tutorial/article/how-to-delete-files-and-folders". This site has the title "How to delete files and folders" and the user navigated to this site from the site www.google.is. This can all be seen in the timeline as shown below:

We then see that the user Joe continues to read up on "how-to delete files" sites:

And some more sites (how to delete files for good):

At 15:18:27 the user Joe starts reading up on wiping software

And some more from the same site:

The user then goes to a page that seems to be related to downloading of the tool (the URL includes /download and the title of the page indicates a download site)

We then see that the user Joe has started some other activity on the machine. At 15:19:20 we see that the Windows shortcut (LNK) file "C:/Documents and Settings/joe/Recent/Very secret document.lnk". This is one of the documents that we were supposed to look for, one of the documents that the user Joe was not supposed to examine. The creation of this link indicates that the document had been opened by the user, so we examine the timeline furhter. We see from the information found inside the link file that the file points to: "C:/Documents and Settings/Administrator/My Documents/Very secret document.txt", which again strengthens our case, since this seems to be really the document in question. For further confirmation we see that the access time for this particular document was also updated at the same time as the other files were created.

We can then see from the UserAssist part of the timeline that the user Joe opened up NOTEPAD.EXE at 15:19:23 (the last time it was opened), and that the user had used this program twice. At the same time, that is at 15:19:23 we also see that the document: "C:/Documents and Settings/joe/Recent/Not to be seen document.lnk" was created. This is the other document that the HR department suspected Joe to open. The information gathered from the LNK file indicates that this file points to the document "C:/Documents and Settings/Administrator/My Documents/Not to be seen document.txt", suggesting that the user Joe opened this document as well (most likely using Notepad). Then finally we see that the Prefetch file for NOTEPAD.EXE was created at 15:19:25, indicating that notepad had been run five times on the machine, last time at 15:19:23 (the same time that the documents were opened).

We see in the Prefetch file that Notepad had been opened five times, yet the UserAssist part of Joe's registry indicates that he only opened it twice. This indicates that other users must have used Notepad as well (the other three times).

At 15:19:26 we see that a new file has been created inside the recycle bin, file called Dc1.txt. To gain further information about this file we examine the recycle bin information inside the timeline. We then see that the file (according to INFO2) "C:/Documents and Settings/Administrator/My Documents/Not to be seen document.txt" had been deleted at 15:19:29 (three seconds after the file Dc1.txt was created). Since the file Dc1.txt is created inside the folder "C:/RECYCLER/S-1-5-21-...-1004" we can be fairly certain that the user with the RID 1004 (RID is the last part of the SID, a unique ID for each user in Windows) deleted this file. If we then examine the content of the SAM file (C:/WINDOWS/system32/config/SAM) with tools such as RegRipper we see that the user joe has the user id of 1004, suggesting that the user Joe deleted the file "Not to be seen document.txt". The picture below shows the timeline from this part:

After this activity with the secret documents we see that the user Joe continued to use Firefox, now clear indications that the user is in fact downloading a wiping software (instead of just visiting sites containing download section). The user visits the site: "http://.....wipe3.exe" and the visit type is DOWNLOAD, indicating that this is in fact a download that is taking place.

We can then further confirm this suspicion by examining the timeline straight after the download took place. We then see that the file ..wipe3.exe was created inside the folder: "C:/Documents and Settings/joe/My Documents/Niðurhal/bcwipe3.exe" (Niðurhal is the Icelandic word for Download). This further suggests that it was in fact the user joe that downloaded the wiping software.

We can then see indications that the wiping software was indeed installed on the machine from the filesystem timeline.

We can then see from the Prefetch file that the software BCWIPE3.EXE was run on the machine, further suggesting that the file that the user Joe seems to have downloaded was in deed run on the machine. We can then see some temporary files created by the installation program that reside inside joe's user directory, further indicating that the user Joe really installed the software in question (there were other temporary files created inside joe's folder as well that belonged to the software bcwipe3.exe)

The final line in the timeline indicating that the user Joe installed the wiping software can be found inside the UserAssist part of the registry. We can se that the user Joe did run the lnk file: "BCWipe 3.0/BCWipe Task Manager.lnk", indicating that he ran a part of the software after installation (a task manager that comes with the software).

To sum up this little example we found out, by examining the timeline (using artifacts inside the timeline), all events take place on the 4th of August this year:

  • 15:13:43: Internet Explorer is started
  • 15:14:48: Internet Explorer is used by the user joe to visit the site "mozilla.org"
  • 15:14:49: Internet Explorer is used by the user joe to visit the site "download.mozilla.org"
  • 15:16:08: The browser Firefox is installed on the machine
  • 15:16:11: A Firefox user profile is created for the user joe
  • 15:16:56: Firefox browser is started
  • 15:17:00: User joe visits the start page of Firefox (using Firefox)
  • 15:17:43: User joe searches for "how to delete files", using Google search engine
  • User joe then reads few web pages which clearly indicate direction on how to delete files and folders
  • 15:16:11: User joe starts reading about tools that wipe files
  • 15:19:20: A shortcut file is created inside recent document history of user Joe, indicating that the file "Very secret document.txt" had been opened by the user
  • 15:19:23. The last time that the user Joe opened NOTEPAD.EXE
  • 15:19:23: A shortcut is created inside recent document history of user Joe, indicating that the file "Not to be seen document.txt" had been opened by the user joe
  • 15:19:26: The file Dc1.txt was created inside the recycle bin (inside a folder that belongs to the user joe). This file used to be named "Not to be seen document.txt" before it was moved to the recycle bin
  • 15:19:37: A wiping software is downloaded from the Internet, using Firefox (and by the user Joe)
  • 15:21:16: The wiping software is installed, leaving temporary files inside Joe's user directory, indicating that the user Joe is in fact the user that is installing the software
  • 15:21:44: The user Joe runs a software that belongs to the wiping software (UserAssist)

Although this case is very simple, and we managed to image the computer few minutes after the alleged breach of policy we can clearly see that correlating different information found inside log files and other OS artifacts can prove to very helpful in our investigations and at least point us to data that we need to examine using other techniques.

Share:
TwitterLinkedInFacebook
Copy url Url was copied to clipboard
Subscribe to SANS Newsletters
Receive curated news, vulnerabilities, & security awareness tips
United States
Canada
United Kingdom
Spain
Belgium
Denmark
Norway
Netherlands
Australia
India
Japan
Singapore
Afghanistan
Aland Islands
Albania
Algeria
American Samoa
Andorra
Angola
Anguilla
Antarctica
Antigua and Barbuda
Argentina
Armenia
Aruba
Austria
Azerbaijan
Bahamas
Bahrain
Bangladesh
Barbados
Belarus
Belize
Benin
Bermuda
Bhutan
Bolivia
Bonaire, Sint Eustatius, and Saba
Bosnia And Herzegovina
Botswana
Bouvet Island
Brazil
British Indian Ocean Territory
Brunei Darussalam
Bulgaria
Burkina Faso
Burundi
Cambodia
Cameroon
Cape Verde
Cayman Islands
Central African Republic
Chad
Chile
China
Christmas Island
Cocos (Keeling) Islands
Colombia
Comoros
Cook Islands
Costa Rica
Cote D'ivoire
Croatia (Local Name: Hrvatska)
Curacao
Cyprus
Czech Republic
Democratic Republic of the Congo
Djibouti
Dominica
Dominican Republic
East Timor
Ecuador
Egypt
El Salvador
Equatorial Guinea
Eritrea
Estonia
Eswatini
Ethiopia
Falkland Islands (Malvinas)
Faroe Islands
Fiji
Finland
France
French Guiana
French Polynesia
French Southern Territories
Gabon
Gambia
Georgia
Germany
Ghana
Gibraltar
Greece
Greenland
Grenada
Guadeloupe
Guam
Guatemala
Guernsey
Guinea
Guinea-Bissau
Guyana
Haiti
Heard And McDonald Islands
Honduras
Hong Kong
Hungary
Iceland
Indonesia
Iraq
Ireland
Isle of Man
Israel
Italy
Jamaica
Jersey
Jordan
Kazakhstan
Kenya
Kiribati
Korea, Republic Of
Kosovo
Kuwait
Kyrgyzstan
Lao People's Democratic Republic
Latvia
Lebanon
Lesotho
Liberia
Liechtenstein
Lithuania
Luxembourg
Macau
Madagascar
Malawi
Malaysia
Maldives
Mali
Malta
Marshall Islands
Martinique
Mauritania
Mauritius
Mayotte
Mexico
Micronesia, Federated States Of
Moldova, Republic Of
Monaco
Mongolia
Montenegro
Montserrat
Morocco
Mozambique
Myanmar
Namibia
Nauru
Nepal
Netherlands Antilles
New Caledonia
New Zealand
Nicaragua
Niger
Nigeria
Niue
Norfolk Island
North Macedonia
Northern Mariana Islands
Oman
Pakistan
Palau
Palestine
Panama
Papua New Guinea
Paraguay
Peru
Philippines
Pitcairn
Poland
Portugal
Puerto Rico
Qatar
Reunion
Romania
Russian Federation
Rwanda
Saint Bartholemy
Saint Kitts And Nevis
Saint Lucia
Saint Martin
Saint Vincent And The Grenadines
Samoa
San Marino
Sao Tome And Principe
Saudi Arabia
Senegal
Serbia
Seychelles
Sierra Leone
Sint Maarten
Slovakia
Slovenia
Solomon Islands
South Africa
South Georgia and the South Sandwich Islands
South Sudan
Sri Lanka
St. Helena
St. Pierre And Miquelon
Suriname
Svalbard And Jan Mayen Islands
Sweden
Switzerland
Taiwan
Tajikistan
Tanzania, United Republic Of
Thailand
Togo
Tokelau
Tonga
Trinidad And Tobago
Tunisia
Turkey
Turkmenistan
Turks And Caicos Islands
Tuvalu
Uganda
Ukraine
United Arab Emirates
United States Minor Outlying Islands
Uruguay
Uzbekistan
Vanuatu
Vatican City State
Venezuela
Vietnam
Virgin Islands (British)
Virgin Islands (U.S.)
Wallis And Futuna Islands
Western Sahara
Yemen
Zambia
Zimbabwe

By providing this information, you agree to the processing of your personal data by SANS as described in our Privacy Policy.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Tags:
  • Digital Forensics, Incident Response & Threat Hunting

Related Content

Blog
Blog Teaser: Shoplifting2.0 340x340.jpg
Digital Forensics, Incident Response & Threat Hunting
May 21, 2025
Shoplifting 2.0: When it’s Data the Thieves Steal
Identify steps organisations can implement to protect against Scattered Spider and DragonForce
Adam Harrison
Adam Harrison
read more
Blog
emerging threats summit 340x340.png
Digital Forensics, Incident Response & Threat Hunting, Offensive Operations, Pen Testing, and Red Teaming, Cyber Defense, Industrial Control Systems Security, Cybersecurity Leadership
May 14, 2025
Visual Summary of SANS Emerging Threats Summit 2025
Check out these graphic recordings created in real-time throughout the event for SANS Emerging Threats Summit 2025
No Headshot Available
Alison Kim
read more
Blog
powershell_option_340x340.jpg
Cyber Defense, Digital Forensics, Incident Response & Threat Hunting, Cybersecurity and IT Essentials, Offensive Operations, Pen Testing, and Red Teaming
July 12, 2022
Month of PowerShell - Windows File Server Enumeration
In this Month of PowerShell article we look at several commands to interrogate Windows SMB servers as part of our incident response toolkit.
Josh Wright - Headshot - 370x370 2025.jpg
Joshua Wright
read more
  • Company
  • Mission
  • Instructors
  • About
  • FAQ
  • Press
  • Contact Us
  • Careers
  • Policies
  • Training Programs
  • Work Study
  • Academies & Scholarships
  • Public Sector Partnerships
  • Law Enforcement
  • SkillsFuture Singapore
  • Degree Programs
  • Get Involved
  • Join the Community
  • Become an Instructor
  • Become a Sponsor
  • Speak at a Summit
  • Join the CISO Network
  • Award Programs
  • Partner Portal
Subscribe to SANS Newsletters
Receive curated news, vulnerabilities, & security awareness tips
United States
Canada
United Kingdom
Spain
Belgium
Denmark
Norway
Netherlands
Australia
India
Japan
Singapore
Afghanistan
Aland Islands
Albania
Algeria
American Samoa
Andorra
Angola
Anguilla
Antarctica
Antigua and Barbuda
Argentina
Armenia
Aruba
Austria
Azerbaijan
Bahamas
Bahrain
Bangladesh
Barbados
Belarus
Belize
Benin
Bermuda
Bhutan
Bolivia
Bonaire, Sint Eustatius, and Saba
Bosnia And Herzegovina
Botswana
Bouvet Island
Brazil
British Indian Ocean Territory
Brunei Darussalam
Bulgaria
Burkina Faso
Burundi
Cambodia
Cameroon
Cape Verde
Cayman Islands
Central African Republic
Chad
Chile
China
Christmas Island
Cocos (Keeling) Islands
Colombia
Comoros
Cook Islands
Costa Rica
Cote D'ivoire
Croatia (Local Name: Hrvatska)
Curacao
Cyprus
Czech Republic
Democratic Republic of the Congo
Djibouti
Dominica
Dominican Republic
East Timor
Ecuador
Egypt
El Salvador
Equatorial Guinea
Eritrea
Estonia
Eswatini
Ethiopia
Falkland Islands (Malvinas)
Faroe Islands
Fiji
Finland
France
French Guiana
French Polynesia
French Southern Territories
Gabon
Gambia
Georgia
Germany
Ghana
Gibraltar
Greece
Greenland
Grenada
Guadeloupe
Guam
Guatemala
Guernsey
Guinea
Guinea-Bissau
Guyana
Haiti
Heard And McDonald Islands
Honduras
Hong Kong
Hungary
Iceland
Indonesia
Iraq
Ireland
Isle of Man
Israel
Italy
Jamaica
Jersey
Jordan
Kazakhstan
Kenya
Kiribati
Korea, Republic Of
Kosovo
Kuwait
Kyrgyzstan
Lao People's Democratic Republic
Latvia
Lebanon
Lesotho
Liberia
Liechtenstein
Lithuania
Luxembourg
Macau
Madagascar
Malawi
Malaysia
Maldives
Mali
Malta
Marshall Islands
Martinique
Mauritania
Mauritius
Mayotte
Mexico
Micronesia, Federated States Of
Moldova, Republic Of
Monaco
Mongolia
Montenegro
Montserrat
Morocco
Mozambique
Myanmar
Namibia
Nauru
Nepal
Netherlands Antilles
New Caledonia
New Zealand
Nicaragua
Niger
Nigeria
Niue
Norfolk Island
North Macedonia
Northern Mariana Islands
Oman
Pakistan
Palau
Palestine
Panama
Papua New Guinea
Paraguay
Peru
Philippines
Pitcairn
Poland
Portugal
Puerto Rico
Qatar
Reunion
Romania
Russian Federation
Rwanda
Saint Bartholemy
Saint Kitts And Nevis
Saint Lucia
Saint Martin
Saint Vincent And The Grenadines
Samoa
San Marino
Sao Tome And Principe
Saudi Arabia
Senegal
Serbia
Seychelles
Sierra Leone
Sint Maarten
Slovakia
Slovenia
Solomon Islands
South Africa
South Georgia and the South Sandwich Islands
South Sudan
Sri Lanka
St. Helena
St. Pierre And Miquelon
Suriname
Svalbard And Jan Mayen Islands
Sweden
Switzerland
Taiwan
Tajikistan
Tanzania, United Republic Of
Thailand
Togo
Tokelau
Tonga
Trinidad And Tobago
Tunisia
Turkey
Turkmenistan
Turks And Caicos Islands
Tuvalu
Uganda
Ukraine
United Arab Emirates
United States Minor Outlying Islands
Uruguay
Uzbekistan
Vanuatu
Vatican City State
Venezuela
Vietnam
Virgin Islands (British)
Virgin Islands (U.S.)
Wallis And Futuna Islands
Western Sahara
Yemen
Zambia
Zimbabwe

By providing this information, you agree to the processing of your personal data by SANS as described in our Privacy Policy.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.
  • Privacy Policy
  • Terms and Conditions
  • Do Not Sell/Share My Personal Information
  • Contact
  • Careers
© 2025 The Escal Institute of Advanced Technologies, Inc. d/b/a SANS Institute. Our Terms and Conditions detail our trademark and copyright rights. Any unauthorized use is expressly prohibited.
  • Twitter
  • Facebook
  • Youtube
  • LinkedIn