Chapter 5. Timeline

In this chapter, we will look at timeline analysis. We will learn a few different approaches to perform a timeline analysis with The Sleuth Kit and Plaso Framework. We will also cover some theoretical issues that are specific to some filesystems and how they work with file time-related attributions. Also, we will demonstrate how we can use Plaso in practice.

In a nutshell, we will cover the following topics:

Timeline
The Sleuth Kit (TSK)
Plaso architecture
Plaso in practice

Timeline introduction

One question, which is very prominent in forensics is, "When?"

In other words, time is a very important factor at which analytics is based in the process of forensics. There are many artifacts that we use in an investigation which have temporal ...

Get Practical Windows Forensics now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Start your free trial

Practical Windows Forensics by Ayman Shaaban, Konstantin Sapronov

Chapter 5. Timeline

Timeline introduction

Don’t leave empty-handed

It’s yours, free.

Check it out now on O’Reilly