Distributed timeline?

I was thinking that there are micro timelines, traditional timelines and super timelines. I'm wondering if there is another type of timeline already being used. Network based logs (IDS, flows, firewall, etc.) are kind of a distributed timeline in that it's one type of data, but for many computers.

It seems that you're thinking of this in terms of the timeline, not the data. Terms such as "micro timeline" or "super timeline" simply provide a description of the data sources used…they're not a specific technique in and of themselves.

The timeline development framework that I describe in chapter 7 of "Windows Forensic Analysis Toolkit 3/e" is just that…a framework. Just about any data source can be normalized into the format and a timeline rendered from the events.

The only host based timeline like that I can think of is remote syslog. My question to the pros is if there is host based data other than the usual event logs that could be gathered from multiple hosts that would be useful in timeline analysis.

Take a look at chapter 7 of WFAT 3/e…there are a LOT of host-based data sources, just on Windows systems, besides the Event Logs. The Registry, Prefetch files, Jump Lists, etc. Pretty much anything with a time stamp that can be associated with an activity can be put into a timeline.

For example, maybe gathering the ASEPs from computers by Automating Autoruns. Instead of just submitting new files to VirusTotal, you could show new ASEPs and the timestamps from the file, registry key or both. You might find a new suspicious ASEP created on multiple computers and could track the spread of malware.

Yes, this is something that's already being done by a good number of folks who are creating timelines. For example, when generating a base timeline for a single system, one generally uses the LastWrite times from all of the keys in all of the available Registry hives (or most of them) on a system. From there, you can narrow down specific malware artifacts using either the metadata (values, subkeys, etc.) of specific keys, or by incorporating Registry value data that itself includes time stamps.

This has been a very effective means of IoC identification and event correlation across multiple systems.

Yeah, I was thinking data is often categorized as host or network based and so that might apply to timelines as well. However, as usual I'm apparently a little late with the idea to timeline compromises across a network used host data. Oh well. )

WFAT 3/e looks good and is already on my wish list, so I'll check it out sometime.

Thanks!

Yeah, I was thinking data is often categorized as host or network based and so that might apply to timelines as well.

It applies very well to timelines; the 5-field timeline format that I am using was designed to be used not only when correlating multiple hosts, but also external data sources, such as firewall or proxy logs. In fact, this could be easily employed by normalizing Carbon Black events along with proxy/firewall logs from an enterprise.

However, as usual I'm apparently a little late with the idea to timeline compromises across a network used host data.

Not at all. In my experience presenting on this topic, there are a LOT of DFIR folks who aren't even using timelines for single hosts yet, so just thinking about incorporating network-based data sources puts you ahead of the power curve. 😉