0Pricing
Cyber Security Academy · Lesson

Timeline Analysis and Reporting

Building and presenting the story.

Why Timelines Matter

A forensic timeline orders events chronologically so an investigator can see the full story: initial access, lateral movement, persistence, and exfiltration.

Scattered artifacts mean little in isolation. A timeline turns thousands of timestamped events into a coherent narrative an analyst, manager, or court can follow.

The Super Timeline

A super timeline merges timestamps from every available source into one sorted view: file system MACB times, registry, event logs, browser history, prefetch, and network logs.

The Plaso project (log2timeline) is the standard tool, producing a normalized timeline database from disparate artifacts.

# Build a Plaso storage file from an image
log2timeline.py --storage-file case.plaso evidence.dd

# Output a filtered CSV timeline
psort.py -o l2tcsv -w timeline.csv case.plaso \
  'date > "2024-06-01" AND date < "2024-06-05"'

All lessons in this course

  1. Forensic Fundamentals and Chain of Custody
  2. Disk Imaging and File System Analysis
  3. Network Forensics with PCAP
  4. Timeline Analysis and Reporting
← Back to Cyber Security Academy