Read as
Why this module exists. Timeline reconstruction — putting events from many sources into a single ordered narrative — is what turns a pile of forensic artefacts into an actionable incident story. This module covers the canonical timeline tools (Plaso / log2timeline, Timesketch, Splunk timeline visualisations) and the analytical approach to building a defensible incident reconstruction.
Why this module exists. An investigation has a hundred sources: event logs from five hosts, bash history, filesystem mtimes, audit logs, EDR alerts, NetFlow, cloud audit trail. Each has its own format and clock. The timeline is what merges them into one story. Without it, the investigation is fragments; with it, the investigation is a narrative.
What a forensic timeline actually is
A timeline is a unified ordered sequence of events, normalised to a common time zone, with each event carrying source attribution. The atomic event record:
- Timestamp — to second or millisecond, in UTC
- Source — which artefact it came from (Windows EventLog 4624, bash history, FS mtime, etc.)
- Host — which machine
- Description — the human-readable event
- Indicator type — login, process exec, file create, network connection, etc.
Once you have records in this shape from every source, ordering and querying becomes trivial.
Worried about your exposure?
Get a free attack-surface review
We check what an attacker would see about your business — leaked credentials, exposed services, dark-web mentions. 30 minutes, no obligation.
Book exposure review
Replies in 4 working hrs · India-only · Senior consultants