🔍 Why Timeline Reconstruction Matters

In advanced attacks—especially those involving lateral movement or stealthy persistence—single events rarely tell the whole story. To understand what happened, when, and how deep the compromise goes, you need to reconstruct a clear timeline across users, systems, logs, and evidence sources.

This post explores how to build forensic timelines and pivot across data to uncover attacker behavior, map the blast radius, and accelerate response.

🧱 Start With Anchor Events

Anchor events give you a foothold into the attacker’s activity:

• Initial alert (e.g., EDR detection, login anomaly)
• Known compromise time (e.g., phishing email timestamp)
• System crash, unauthorized change, or first incident report

Use this to define your temporal scope and begin building a working timeline.

🔄 Pivoting: Chaining Events to Build Context

Pivoting is the investigative process of linking one data point to another. Start with an artifact (e.g., process name, IP address, user) and explore related activity:

• IP address → process → parent process → user → login time
• Registry key → executable path → hash → EDR detection → lateral connection

Tools like Elastic, Splunk, Velociraptor, and SOAR platforms support this type of chaining visually and through search queries.

🧪 Key Timeline Data Sources

These sources form the foundation of timeline investigations:

• EDR/AV telemetry: Process creation, parent-child trees, DLL injection
• System logs: Windows Event Logs, Linux auth logs, RDP sessions
• Network logs: Firewall, proxy, DNS, and VPN session history
• Cloud audit logs: AWS CloudTrail, Azure Activity Logs, Okta sign-ins
• Disk timestamps: File creation, modification, access (MAC times)

Preserve the original timestamps and normalize timezones early. Time skew kills accuracy.

🧰 Building a Timeline: Tools & Formats

Organize findings chronologically in a format your team can understand:

• CSV or JSON: Easy to share and ingest into tools
• Graph tools: Like Timesketch, Kroll Artifact Parser, Velociraptor
• Timeline spreadsheets: With columns for time, source, user, system, action, notes

Color code by user/system or tactic (initial access, execution, persistence, etc.). Highlight uncertainty where exact times aren’t known.

🔁 Look for Attacker TTPs

Use your timeline to identify attacker tactics, techniques, and procedures (TTPs):

• Scheduled tasks or services as persistence
• Credential dumping tools (e.g., Mimikatz, LaZagne)
• Unusual parent-child process relationships (e.g., Word spawning PowerShell)
• Non-interactive logins from unexpected geolocations

Match to MITRE ATT&CK techniques to label attacker behaviors and detect lateral movement paths.

🛑 Pitfalls to Avoid

• Ignoring time drift between systems (NTP misconfig = bad pivots)
• Relying on a single source (e.g., EDR) without cross-validation
• Assuming one alert equals one compromise—watch for parallel activity
• Missing gaps between attacker actions due to incomplete logging

Your timeline is only as good as your data. Gaps must be acknowledged, not filled with guesses.

📣 Final Thought

Timelines are the backbone of serious breach investigations. They help responders orient, prove, and defend their understanding of what really happened. The better your pivoting discipline and timestamp hygiene, the faster you move from chaos to clarity.

Need help building forensic timelines, tuning log sources, or correlating attacker activity across your environment? Let’s talk.