top of page
Search

Case Studies: Building Effective Timelines with Plaso (Log2Timeline)

  • 3 minutes ago
  • 3 min read
ree

By now, if you’ve followed the previous articles in this series, you should be very comfortable with:

  • Creating timelines using Plaso / Log2Timeline

  • Running Plaso on Windows and Ubuntu

  • Creating timelines for Linux systems

  • Understanding how timelines help reconstruct attacker activity


If you haven’t read those yet, you can find them here:

At this point, you may already feel confident—maybe even like an expert—when it comes to building timelines.


👉 Case studies are where timelines truly start to make sense.

So yes… we’re doing case studies 😄Because learning again (and differently) is never a bad thing.

Let’s get started.


---------------------------------------------------------------------------------------------------------

Case Study 1: Web Server Intrusion (Triage-Based Timeline)

Scenario

You receive an alert about suspicious activity on a production web server. Time is critical, and you have limited context.


Instead of waiting for a full disk image, you collect a triage package from the system:

  • Windows Event Logs

  • IIS web server logs

  • Master File Table (MFT) parsed separately


Your goal:

  • Validate the alert

  • Understand what happened

  • Identify suspicious activity quickly



Step 1: Parse Triage Artifacts (Event Logs + IIS Logs)

We begin by creating a focused timeline using only the most relevant artifacts.

log2timeline.py --timezone 'EST' \
  --parsers 'winevtx,winiis' \
  --storage-file output.plaso \
  /cases/IIS_Triage

Why this matters:

  • winevtx captures Windows event activity

  • winiis captures HTTP requests, errors, and access patterns

  • This keeps processing fast and noise low during early investigation



Step 2: Add Full MFT Metadata

Next, we append full filesystem metadata extracted using MFTEcmd. (If you want to learn how to create body file using mftecmd check out above articles)


log2timeline.py --parsers 'mactime' \
  --storage-file output.plaso \
  /cases/IIS_mftecmd.body

This step deserves special attention.




Step 3: Filter and Build the Super Timeline

Finally, we sort, filter, and export the timeline for analysis.

psort.py --output-time-zone 'UTC' \
  -o l2tcsv \
  -w supertimeline.csv \
  out.plaso \
  "date > datetime('2023-01-01T00:00:00') AND date < datetime('2023-01-27T00:00:00')"

This produces a filtered super timeline that:

  • Focuses only on the incident window

  • Is ready for tools like Timeline Explorer

  • Can be quickly reviewed for attacker activity




-------------------------------------------------------------------------------------------------------------

Case Study 2: Full Disk Super Timeline


Scenario

Now imagine a different situation.

Instead of triage data, you have:

  • A full disk image (E01, raw disk, or cloud snapshot)

  • More time

  • A need for deep historical analysis


Your goal:

  • Build a comprehensive super timeline

  • Preserve complete file system metadata

  • Still keep processing efficient


Step 1: Parse Disk Image Using a Filter File

log2timeline.py --timezone 'UTC' \
  -f filter_windows.yaml \
  --parsers 'win7,!filestat' \
  --storage-file out.plaso \
  /cases/cdrive/disk.E01

What’s happening here:

  • win7 loads default Windows artifact parsers

  • !filestat disables filesystem parsing (we’ll handle it separately)

  • filter_windows.yaml limits parsing to high-value system artifacts (This is an Filter file)




Why not use Plaso’s filestat parser?

Plaso’s filesystem parser only records metadata for files it actively parses .In this case, we parsed only logs, not the entire disk.


By parsing the MFT separately with MFTEcmd and importing it using the mactime parser, we gain:

  • Full file system visibility

  • Creation, modification, access, and entry timestamps

  • Metadata for files not directly parsed by Plaso


This is a powerful technique when:

  • You’re working with triage images

  • Full disk images are unavailable or unnecessary

  • Speed matters


You’ll see this approach repeatedly in advanced investigations.

This avoids wasting time on hundreds of thousands of irrelevant files.



Step 2: Append Full MFT Metadata

log2timeline.py --parsers 'mactime' \
  --storage-file out.plaso \
  /cases/mftecmd.body

Even with a full disk image, we:

  • Do not parse every file (thanks to the filter file)

  • Still want complete filesystem visibility


Appending the MFT provides:

  • Full file coverage

  • Accurate timestamps

  • File size and metadata context


Many Like me prefer MFTEcmd output over Plaso’s native filestat format for filesystem analysis.


Step 3: Filter and Export the Timeline

psort.py --output-time-zone 'UTC' \
  -o l2tcsv \
  -w supertimeline.csv \
  out.plaso \
  "date > datetime('2026-01-01T00:00:00') AND date < datetime('2026-01-27T00:00:00')"

You now have a true super timeline combining:

  • Logs

  • Registry artifacts

  • File system activity

  • User actions

  • System events


All aligned chronologically.

-------------------------------------------------------------------------------------------------------------

Key Takeaways

  • Timelines are not one-size-fits-all

  • Triage timelines prioritize speed and signal

  • Full disk timelines prioritize depth and completeness

  • Appending MFT data via MFTEcmd + mactime is an extremely effective technique

  • Filter files help control noise without sacrificing context


If there’s one thing to remember:

A good timeline doesn’t show everything — it shows the right things, in the right order.

-------------------------------------------------------------------------------------------------------------

 
 
 
bottom of page