Timeline Reconstruction
Timeline Reconstruction
Network evidence helps build accurate incident timelines:
Correlation Process:
- Normalize timestamps across sources
- Identify initial compromise indicators
- Track lateral movement
- Map data access and exfiltration
- Identify persistence mechanisms
- Document cleanup attempts
Timeline Integration:
# Combine multiple evidence sources
cat firewall.log | awk '{print $1, $2, "FW:", $0}' > timeline.txt
tshark -r capture.pcap -T fields -e frame.time -e ip.src -e ip.dst >> timeline.txt
sort timeline.txt > sorted_timeline.txt