Mastering the Super Timeline With log2timeline

Traditional timeline analysis can be extremely useful yet it sometimes misses important events that are stored inside files or OS artifacts on the suspect. By solely depending on traditional filesystem timeline the investigator misses context that is necessary to get a complete and accurate description of the events that took place. To achieve this goal of enlightenment we need to dig deeper and incorporate information found inside artifacts or log files into our timeline analysis and create some sort of super timeline. These artifacts or log files could reside on the suspect system itself or in another device, such as a firewall or a proxy. This paper presents a framework, log2timeline that addresses this problem in an automatic fashion. It is a framework, built to parse different log files and artifacts and produce a super timeline in an easy automatic fashion to assist investigators in their timeline analysis.