SEC504: Hacker Tools, Techniques, and Incident Handling

Experience SANS training through course previews.
Learn MoreLet us help.
Contact usBecome a member for instant access to our free resources.
Sign UpWe're here to help.
Contact UsTraditional timeline analysis can be extremely useful yet it sometimes misses important events that are stored inside files or OS artifacts on the suspect. By solely depending on traditional filesystem timeline the investigator misses context that is necessary to get a complete and accurate description of the events that took place. To achieve this goal of enlightenment we need to dig deeper and incorporate information found inside artifacts or log files into our timeline analysis and create some sort of super timeline. These artifacts or log files could reside on the suspect system itself or in another device, such as a firewall or a proxy. This paper presents a framework, log2timeline that addresses this problem in an automatic fashion. It is a framework, built to parse different log files and artifacts and produce a super timeline in an easy automatic fashion to assist investigators in their timeline analysis.