SANS@MIC - smbtimeline - An automated timeline for SMB Traffic

  • Monday, 20 Jul 2020 3:30PM EDT (20 Jul 2020 19:30 UTC)
  • Speaker: Olaf Schwarz

smbtimeline is, as the name already states, a tool to produce a timeline out of SMB traffic. Inspired by the manually work of putting together an investigative timeline from SMB traffic, its purpose is to provide a timeline from a given pcap file. Particularly as Incident Response is about to focus on the right amount of details at the right time, smbtimeline provides an overview about the SMB traffic and not showing every possible bit of information but still enriching packets with useful details. In order to archive this goal, smbtimeline arranges not only SMB commands, but also important commands taken from protocols which utilize SMB as transport medium, in an easy to handle .csv file. As of today, smbtimeline supports two output formats - the native smbtimeline .csv format and a log2timeline compatible csv output format. The latter enables analysts to merge the output into an existing timeline produced by log2timeline.