Do we need a standard?
I've re-presented my "definition" of the five fields I use for timeline analysis, and added a couple of optional fields.
http//
Do the described fields suffice? Is anything else needed?
One item that always causes issues is time in relation to what?
I have run into issues where the firewall or IDS or border device is set to GMT/UTC, a server at the host site is on their local time and the suspect computer is on another local time. For me converting everything to GMT makes sense and keeps all times relative. However I spent a bunch of wasted time on the stand trying to explain time offsets. And to really wrench things, opposing council used the local time of each device rather than a standard time (I suspect partly to obfuscate and confuse and dare I say create doubt).
Bithead,
Conversion to UTC time is often (not always) easy, and allows for apples to apples comparison.
With respect to the opposing counsel, I guess if it were me, I'd want someone to mount a competent defense…