Investigation Framework | Part 5 – Timeline Analysis

Investigation Framework

Timeline Analysis

We’re past the halfway point! Even if you think you covered everything with your analysis and correlation, sometimes you need to put things to see the bigger picture. Here we will be covering creating potentially the most important aspect of an incident, the TIMELINE. Timelines are perhaps the best way to summarize what you’ve found in a way that is easy to understand for anyone.

Check the time

If you want to take away one thing from this entire series, it’s this.

ALWAYS NOTE THE TIMESTAMPS

When you are looking through data and sometimes you can forget to do the simple task of answering, “when did this happen?”. As I mentioned in the previous section when noting down timestamps make sure you write it down with these factors.

  • ISO-8601 (2022-01-01T12:34:56Z)
  • Convert the timezone to UTC

However minor the finding may be always, always, always include a timestamp. If you chose to use a local timezone, make sure that is specified at the top of your notes or whenever it is written. Avoid using multiple timezones, it will always cause confusion especially when creating a timeline.

Know your attributes

A finding is only as useful as the information you include with it. I’ve identified five specific attributes you should always attempt to include to make your timeline a lot easier.

  • Timestamp, ISO-8601 UTC
  • Host, affected system/user
  • Source, Where the information was found
  • Event Type, short category of the type of finding (Logon, Firewall block, etc)
  • Description, additional details about the finding that are helpful to know (context)

Additionally, I’ve found its helpful to include the MITRE Tactic/Technique. This not only adds some professionalism but also helps identify future improvements to remedy the situation.

Tools of the trade

You’ve got your findings, let’s make a timeline. By far the most fancy, cyber, hacker tool you can use for your timeline is……… Excel. Excel is seriously the most useful tool I’ve found for creating your own timeline.

I’m sure there are other great tools out there like Plaso. However, these tools are for generating a timeline based on forensic artifacts, not creating a timeline of your findings. I’d still recommend using these tools for Analysis, but eventually you will need to narrow down your own timeline to your own findings.

An additional shout out to Timeline Explorer. It is intended as read-only, but if you need the best CSV viewer with some nice DFIR specific features and filtering, this is your tool.

Creating your own timeline

First things first, open up Excel or your spreadsheet software of choice. Now, you didn’t think I wouldn’t give you a nice template to start with did you 🙂 ? You can use this template as a starting spot. Within it, you’ll find three tabs.

  • Incident_Timeline
  • Affected_Hosts
  • Evidence_Sources
  • Indicators

We will be focusing on the “Incident_Timeline”, however the other tabs will be helpful for documenting tasks and keeping track of findings.

I’ve already included the headers and an example in the image below. However, this should give you an idea of how to use the spreadsheet.

Keep it simple, remember that non-technical people may be looking at this so try not to make each entry too wordy. This isn’t meant to replace your notes, it is essentially a summary. If you go through and add all of your findings, you will have a nice list of events. This makes findings gaps more easy to understand as well as seeing the adversary’s actions.

Conclusion

Timelining becomes easier the more you do it. You will eventually know what type of information is important to tell the story of the incident.

Having a finalized timeline is also an incredible piece to your report. If you look at some of the great cybersecurity blog posts or write ups, you’ll often see a timeline included.

It truly is a great way to convey information, so don’t be afraid to take some time and make it pretty. I can guarantee your management, executives, or customers will love to have this.

Twitter: @CyberCoat

Mastodon: @ChocolateCoat@infosec.exchange

LinkedIn: terrynvalikodath

Incident Timeline Template: https://github.com/chocolatecoat/DFIR-Templates/blob/main/Incident_Evidence_Timeline.xlsx

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s