Timeline Analysis and Artifact Correlation
Build a forensic timeline from file timestamps, event logs, browser history, and registry artifacts.
Why Timeline Analysis?
Attackers move through environments over time — initial access, persistence, lateral movement, and exfiltration may span days or weeks. Timeline analysis correlates artifacts across sources to reconstruct the attack sequence and determine dwell time.
Time Sources in Digital Forensics
Key time sources: NTFS MAC times (MFT entries), Windows Event Log timestamps, Prefetch execution timestamps, registry last-write times, browser history timestamps, and $UsnJrnl change journal entries. Each has different precision and tamper resistance.
All lessons in this course
- Disk Imaging and File System Forensics
- Memory Acquisition and Volatility Framework
- Timeline Analysis and Artifact Correlation
- Network Forensics with Wireshark