Timeline Analysis
Overview
Timeline analysis reconstructs a chronological sequence of events on a system by correlating timestamps from filesystem metadata, logs, and application artifacts. Timelines help investigators answer when files were created, accessed, modified, or deleted, and identify the sequence of attacker actions during an incident. The Sleuth Kit's mactime format is the standard interchange format for filesystem timeline data.
Body File Generation
The body file is a pipe-delimited intermediate format containing timestamp data from filesystem metadata. It is generated by The Sleuth Kit's fls tool and processed by mactime into a human-readable timeline.
# The Sleuth Kit (fls)
# https://www.sleuthkit.org/
# Generate body file from a partition
fls -r -m "/" -o 2048 disk.raw > body.txt
# The -m flag specifies the mount point prefix for file paths
# Use the actual mount point the partition would have had
fls -r -m "C:" -o 2048 disk.raw > body_c.txt
fls -r -m "/home" -o 1026048 disk.raw > body_home.txt
# Include MD5 hashes in the body file
fls -r -m "/" -o 2048 -h disk.raw > body_hashes.txt
# Combine body files from multiple partitions
fls -r -m "C:" -o 2048 disk.raw > body.txt
fls -r -m "D:" -o 5242880 disk.raw >> body.txt
Body File Format:
MD5|name|inode|mode_as_string|UID|GID|size|atime|mtime|ctime|crtime
0|/file.txt|128|r/rrwxrwxrwx|0|0|1024|1707000000|1707000100|1707000200|1706999900
| Field | Description |
|---|---|
| MD5 | MD5 hash (0 if not computed) |
| name | Full file path |
| inode | Inode/MFT entry number |
| mode_as_string | File type and permissions |
| UID/GID | Owner user and group ID |
| size | File size in bytes |
| atime | Last access time (Unix epoch) |
| mtime | Last modification time (Unix epoch) |
| ctime | Last metadata change time (Unix epoch) |
| crtime | Creation time (Unix epoch, 0 if unavailable) |
Timeline Generation with mactime
mactime converts body files into human-readable timelines sorted chronologically.
# The Sleuth Kit (mactime)
# https://www.sleuthkit.org/
# Generate a full timeline
mactime -b body.txt > timeline.txt
# Filter by date range
mactime -b body.txt 2026-01-01..2026-02-01 > january_timeline.txt
# Start from a specific date (no end date)
mactime -b body.txt 2026-01-15 > timeline_from_jan15.txt
# Output in comma-delimited format (for spreadsheet import)
mactime -d -b body.txt > timeline.csv
# Include header line
mactime -d -h -b body.txt > timeline.csv
# Display dates in ISO 8601 format
mactime -y -b body.txt > timeline.txt
# Specify timezone
mactime -z UTC -b body.txt > timeline.txt
# Use password file for UID-to-name resolution
mactime -b body.txt -p /evidence/etc/passwd > timeline.txt
mactime Output Format:
Date Time Size Type Mode UID GID Inode Name
Mon Jan 15 2026 08:30:00 1024 .a.. r/rrwxrwxrwx 0 0 128 /file.txt
Mon Jan 15 2026 08:30:15 1024 m... r/rrwxrwxrwx 0 0 128 /file.txt
Mon Jan 15 2026 08:30:15 1024 ..c. r/rrwxrwxrwx 0 0 128 /file.txt
Timestamp Type Indicators:
| Letter | Meaning |
|---|---|
| m | Modified (file content changed) |
| a | Accessed (file read) |
| c | Changed (metadata changed, e.g., permissions) |
| b | Born / Created (creation time) |
Super Timeline with Plaso
Plaso (log2timeline) creates comprehensive timelines by parsing multiple artifact sources — not just filesystem timestamps, but also event logs, browser history, registry, prefetch, and many other sources.
# Plaso (log2timeline)
# https://github.com/log2timeline/plaso
# Step 1: Parse artifacts into a Plaso storage file
python3 -m plaso.scripts.log2timeline /evidence/timeline.plaso disk.raw
# Parse with specific parsers only
python3 -m plaso.scripts.log2timeline \
--parsers "win7,winevtx,prefetch" \
/evidence/timeline.plaso disk.raw
# Parse specific partitions
python3 -m plaso.scripts.log2timeline \
--partitions all \
/evidence/timeline.plaso disk.raw
# Step 2: Sort and filter with psort
python3 -m plaso.scripts.psort \
-o l2tcsv \
-w /evidence/timeline.csv \
/evidence/timeline.plaso
# Filter by date range
python3 -m plaso.scripts.psort \
-o l2tcsv \
-w /evidence/timeline_filtered.csv \
/evidence/timeline.plaso \
"date > '2026-01-15 00:00:00' AND date < '2026-01-16 00:00:00'"
# Output in dynamic format (customizable columns)
python3 -m plaso.scripts.psort \
-o dynamic \
-w /evidence/timeline.txt \
/evidence/timeline.plaso
Plaso Parsers (common):
| Parser | Description |
|---|---|
| winevtx | Windows Event Log (EVTX) files |
| prefetch | Windows Prefetch files |
| winreg | Windows Registry hives |
| mft | NTFS Master File Table |
| usnjrnl | NTFS USN Journal |
| chrome_history | Chrome browser history |
| firefox_history | Firefox browser history |
| syslog | Linux syslog files |
| utmp | Linux login records |
Analyzing Timelines
Identifying Key Time Windows
# Search timeline for a specific filename
grep -i "malware.exe" timeline.csv
# Find activity around a known event (e.g., 2026-01-15 14:00)
grep "2026-01-15 1[34]:" timeline.csv
# Find all .exe files created in a time window
grep -E "\.exe" timeline.csv | grep "\.b\.\."
# Count events per hour (identify activity spikes)
awk -F',' '{print substr($1,1,16)}' timeline.csv | sort | uniq -c | sort -rn | head -20
Common Timeline Patterns
Malware Execution:
1. File created (b): malware.exe appears on disk
2. File accessed (a): malware.exe opened/executed
3. New files created (b): dropped payloads, configs
4. Registry modified: persistence keys added
5. Network connections: C2 communication begins
Lateral Movement:
1. Logon event (4624 type 3): network authentication
2. Service created: PsExec or similar service
3. File created: payload dropped via SMB
4. File executed: payload runs
5. Additional logon events from the compromised host
Data Exfiltration:
1. Files accessed (a): target documents read
2. Archive created (b): data compressed/staged
3. Archive accessed (a): data read for transfer
4. Network activity: upload to external IP
5. Archive deleted: staging cleanup
NTFS-Specific Timeline Sources
# The Sleuth Kit (fls)
# https://www.sleuthkit.org/
# NTFS USN Journal (tracks file changes)
# The USN Journal is stored in $Extend/$UsnJrnl:$J
icat -o 2048 disk.raw 62-128-3 > usnjrnl.bin
# NTFS $LogFile (transaction log)
icat -o 2048 disk.raw 2 > logfile.bin
# $MFT extraction for detailed analysis
icat -o 2048 disk.raw 0 > mft.bin
Timestamp Manipulation Detection
Attackers may modify timestamps (timestomping) to blend malicious files with legitimate system files.
Detection indicators:
| Indicator | Description |
|---|---|
| $SI ≠ $FN timestamps | $STANDARD_INFORMATION modified, $FILE_NAME not |
| Creation before compile time | PE compile time newer than filesystem creation time |
| Rounded timestamps | Timestamps at exactly 00:00:00 or on round hours |
| Future timestamps | Dates beyond the analysis date |
| Timestamps matching system files | Malware with svchost.exe-era timestamps |
| No $FN creation time | $FN entry missing creation time |
# The Sleuth Kit (istat)
# https://www.sleuthkit.org/
# Compare $SI and $FN timestamps for a suspect file
istat -o 2048 disk.raw <inode>
# Look for discrepancies between:
# $STANDARD_INFORMATION (SI) — easily modified
# $FILE_NAME (FN) — OS-controlled, harder to modify