Timeline Analysis: The Art of Reconstructing Cyber Attacks in Digital Forensics

Every action taken on a computer system leaves a temporal footprint. However, understanding how operating systems record time is complex, and misinterpreting this data can derail an entire investigation.

MACB Timestamps

In file system forensics, analysts rely heavily on MACB timestamps. These represent four distinct temporal events associated with a file:

• M (Modified): The time the contents of the file were last changed.
• A (Accessed): The time the file was last opened or read by a user or a process. (Note: Modern operating systems often disable or delay updating this timestamp by default to improve performance, making it less reliable).
• C (Changed/MFT Modified): The time the metadata of the file (e.g., file permissions, ownership, or the file name itself) was last modified within the Master File Table (MFT) on Windows.
• B (Birth/Creation): The exact time the file was originally created on that specific storage volume.

Understanding the interaction between these four timestamps is crucial. For example, if an attacker copies a malicious executable from a USB drive onto a server, the 'Birth' time on the server will show the exact time of the copy. However, the 'Modified' time will often reflect the time the file was originally compiled by the malware author months earlier.

The Time Zone Dilemma

One of the greatest challenges in Timeline Analysis is time zone normalization. A global enterprise might have web servers in London (UTC+0), database servers in Tokyo (UTC+9), and an administrator logging in from New York (UTC-5). If an analyst does not correctly convert all timestamps from these various sources into a single, unified standard (almost always Coordinated Universal Time - UTC), the resulting timeline will be fundamentally broken, leading to false conclusions about the sequence of events.

A robust timeline is built by correlating data from multiple, disparate sources. Relying on a single source is dangerous, as attackers often attempt to clear their tracks.

1. The File System (NTFS, ext4, APFS)

The underlying file system is a treasure trove of temporal data. On Windows, the Master File Table (MFT) records the MACB timestamps for every single file and directory. Analyzing the MFT can reveal when an attacker dropped their initial payload, when they executed it, and when they attempted to delete it. Deleted files often leave traces in the MFT, allowing analysts to reconstruct timelines of files that no longer physically exist on the disk.

2. Operating System and Event Logs

Logs are the diary of the operating system.

• Windows Event Logs: These are critical for tracking user authentications (Event ID 4624/4625), process creation (Event ID 4688), service installations (often used by malware for persistence), and network share access.
• Linux Logs: Files like /var/log/auth.log and /var/log/syslog provide chronologies of SSH logins, sudo command executions, and daemon activity.

3. Application and Web Server Logs

If the initial compromise occurred via a web-facing application, IIS or Apache logs are paramount. These logs provide exact timestamps of HTTP requests, allowing analysts to pinpoint the exact moment a SQL injection or Cross-Site Scripting (XSS) payload was delivered.

4. Volatile Memory (RAM)

Some of the most valuable temporal data exists only in volatile memory and is lost when the machine is rebooted. Analyzing a memory dump can reveal the exact start times of running processes, active network connections, and loaded DLLs, providing a real-time snapshot of the attacker's activity that may not be recorded anywhere on the hard drive.

Building a timeline from these diverse sources involves a structured methodology, typically revolving around the creation of a "Super Timeline."

Phase 1: Acquisition and Extraction

The investigator first acquires forensic images of the compromised systems. Using specialized forensic tools, they extract the raw timestamp data from the file systems, the registry hives, the event logs, and the browser histories.

Phase 2: Normalization (The Super Timeline)

This is the most computationally intensive phase. Tools like Log2Timeline (part of the Plaso engine) parse the hundreds of different data formats extracted in Phase 1 and normalize them into a single, massive CSV file or database. Every event—whether it's a file creation, a log entry, or a registry key modification—is converted to UTC and placed on a single chronological axis. This is the "Super Timeline." A Super Timeline for a single server can easily contain millions of individual events.

Phase 3: Filtering and Contextualization

A raw Super Timeline is unreadable by a human. The analyst must filter this massive dataset. They usually start with an "anchor event"—a known fact, such as the time an IDS alert fired or the time a user reported a ransom note. From this anchor point, the analyst looks backward and forward in time, applying filters to remove "known good" system noise and highlight suspicious activities, such as executions from temporary directories or anomalous administrative logins.

Sophisticated adversaries know that forensic analysts rely on timelines. Therefore, they actively attempt to manipulate digital time to hide their tracks—a technique known as "Time Stomping."

Using specialized tools or built-in OS APIs, an attacker can intentionally modify the MACB timestamps of their malicious files to make them blend in with legitimate system files. For example, an attacker might drop a new backdoor onto a server in 2026 but alter its 'Creation' and 'Modified' timestamps to match a core Windows file created in 2019.

Advanced timeline analysts detect Time Stomping by looking for inconsistencies.

• MFT Record Inconsistencies: The Windows MFT actually stores two sets of MACB timestamps (Standard Information attribute and File Name attribute). Many Time Stomping tools only modify one set. Analysts compare the two; if they do not match, manipulation has occurred.
• Event Log Correlation: Even if an attacker alters a file's creation timestamp to 2019, the Windows Event Log (if configured correctly) will show an Event ID 4688 (Process Creation) for that exact file occurring in 2026. The contradiction proves the timestamp was manipulated.

The sheer volume of data makes manual timeline analysis impossible. Investigators rely on powerful open-source and commercial toolsets:

• Plaso (Log2Timeline): The industry standard open-source engine for extracting timestamps from various artifacts and generating Super Timelines.
• Timesketch: An open-source collaborative forensic timeline analysis tool that allows multiple analysts to view, filter, and annotate Plaso output visually.
• Autopsy/The Sleuth Kit: Comprehensive digital forensics platforms that include built-in timeline generation and visualization features.
• Volatility: The premier framework for extracting temporal data (and much more) from volatile memory dumps.