top of page
Search

Creating a Timeline for Linux Triage with fls, mactime, and Plaso (Log2Timeline)

  • Apr 28
  • 4 min read
ree

Building a timeline during forensic investigations is super important — it helps you see what happened and when.

Today, I’ll walk you through two simple but powerful ways to create timelines:

  • Using fls + mactime

  • Using Plaso / Log2Timeline (psteal, log2timeline, psort)

Don’t worry — I’ll explain everything in a very simple way, just like we’re talking casually!


--------------------------------------------------------------------------------------------------------

🛠 Method 1: Using fls and mactime for Filesystem Timeline


First things first: Make sure the tool is installed. If not, you can install it easily:

sudo apt install sleuthkit
ree

The SleuthKit package gives you useful forensic tools like fls, mactime, icat, and more.


Step 1: Create a Body File with fls

Now, let's create the timeline body file:

fls -r -m "/" /mnt/c/Users/Akash's/Downloads/image.dd > /mnt/c/Users/Akash's/Downloads/timeline.body

What’s happening here?

  • -r → Recursively walk through all directories and files.

  • -m "/" → Mount point is root /.

  • /mnt/.../image.dd → This is your disk image.


👉 Combining -r and -m "/", we tell fls:

"Hey, start from root and go deep into everything inside."

ree

Tip: Check your .body output — it should look clean and pipe-delimited (| characters). If it looks good, you’re all set for the next step!

ree


Step 2: Create a CSV Timeline with mactime

Now let's process the body file and create a readable timeline:

mactime -b /mnt/c/Users/Akash's/Downloads/timeline.body -d -y > /mnt/c/Users/Akash's/Downloads/timeline.csv

What do the options mean?

  • -b → Body file input.

  • -d → Output in delimited format (for spreadsheets).

  • -y → Use UTC time zone.


ree

Optional: You can also specify a different timezone (not recommended generally):

mactime -b file.body -d -y -z germany/berlin

Or even specify a date range if you want:

mactime -b timeline.body -d -y 2025-04-02 .. 2025-04-22 > timeline.csv

ree

Step 3: Analyze Timeline

Use Timeline Explorer (Eric Zimmerman's free tool) to open and analyze your CSV file. It’s one of the easiest ways to slice and dice timeline data visually!

  • You can even turn on hidden columns like UID, GID, Permissions by right-clicking and choosing "Column Chooser."

  • Note: Since I’m running on ext4 filesystem, I'm able to see creation/birth times too.


👉 Important:

Using fls gives you a filesystem timeline only (file creation, modification, access, and metadata changes).

--------------------------------------------------------------------------------------------------------

🧠 Method 2: Creating Timeline Using Plaso (Log2Timeline)

If you want deeper timelines including event logs, browser history, and way more artifacts — use Plaso.


I've already made two detailed guides on Plaso for Windows if you want to dive even deeper. Links coming below! 😉

  • Running Plaso/Log2Timeline on Windows

  • A Deep Dive into Plaso/Log2Timeline Forensic Tools


Anyway, let’s jump into it.

Option 1: Easy Way — Using psteal.py


ree

Let's run everything in a single command:

psteal.py --source /mnt/c/Users/Akash's/Downloads/image.dd -o dynamic -w /mnt/c/Users/Akash's/Downloads/plasotimeline.csv
ree

What this does:

  • Runs Log2Timeline + psort automatically.

  • Saves output as a nicely formatted CSV (plasotimeline.csv).


You can use .vmdk virtual machine images too:

psteal.py --source /path/to/your.vmdk -o dynamic -w /path/to/output.csv

Super clean and fast!

ree

Option 2: Manual Way — (Better Control)

Want to control everything yourself? Here’s how:


Step 1: Parse the Image with log2timeline.py

log2timeline.py --storage-file timeline.plaso /path/to/image.dd

  • timeline.plaso is the storage file that saves extracted events.


Step 2: Check Metadata with pinfo.py

pinfo.py timeline.plaso

  • See event counts, sources, time ranges, and other goodies inside the .plaso file.


Step 3: Create Timeline Output with psort.py

psort.py -o dynamic -w timeline.csv timeline.plaso

This command sorts the events and outputs them nicely to a CSV!


--------------------------------------------------------------------------------------------------------

💬 But wait… Why Manual Parsing?

You might ask — if psteal.py is so easy, why bother with manual steps?


Here’s the thing:

  • Manual parsing lets you use powerful filters.

  • You can selectively extract events, artifacts, or specific activities.

  • It's way more flexible for bigger/messier investigations.



🎯 Artifact Filtering with Plaso (Advanced)

Let’s say you want to pull only Bash shell history. Here’s how you can do that:


Step 1: Download Artifacts Repository

ree

Inside, you'll find tons of .yaml files under the /data folder.


Each YAML defines different forensic artifacts!

ree

ree

Step 2: Run log2timeline with Artifact Filter

log2timeline.py --storage-file test.plaso /path/to/image.vmdk 
--artifact-filters BashShellHistoryFile
👉 Tip: The names come from the YAML filenames — so if you wonder "where did BashShellHistoryFile come from?" — now you know. 😄

Output:

ree

Step 3: Run pinfo with created plaso file

pinfo.py /path/to/outputfile.plaso
ree

Step 4: Run psort with created plaso file

psort.py -o dynamic -w /mnt/c/Users/Admin/Downloads/test.csv /mnt/c/Users/Admin/Downloads/test.plaso

ree

Output:

ree

----------------------------------------------------------------------------------------------------------


Using a Custom Filter File

You can also create a mini YAML filter file like this:

description: LinuxSysLogFiles
type: include
path_separator: '/'
paths:
  - '/var/log/syslog*'

ree

And then run:

log2timeline.py --storage-file test3.plaso /path/to/image.vmdk --filter-file /path/to/your_custom.yaml
ree

Common Issues

  • Sometimes you may face weird errors while using artifact filters directly with .yaml (after downloading the files.

  • If that happens, create your own YAML and use --filter-file instead.


Pro Tip:

Always create a full Plaso storage file first, and then filter during psort, instead of during log2timeline.This gives you more flexibility later!


--------------------------------------------------------------------------------------------------------


🛠 Bonus: Narrowing Timelines with Psort

You can narrow results easily after timeline creation:


Slice Around a Specific Time

psort.py -o dynamic -w timeline.csv timeline.plaso --slice 2025-04-23T22:00:00+00:00

  • Default slice = 5 minutes before and after.


Date Range Filter

psort.py -o dynamic -w timeline2.csv timeline.plaso "date > '2025-04-01 23:59:59' and date < '2025-04-23 00:00:00'"

This will output events only within your specified date window.


--------------------------------------------------------------------------------------------------------


🚀 Conclusion

  • For simple filesystem timelines → fls + mactime works great.

  • For full system artifact timelines → Plaso/Log2Timeline is the best.

  • Recommendation: Always create a full .plaso file, then slice and filter later using psort.py.

Would you also like me to format this for your website with:


"Thanks for sticking with me through this article! See you in the next one — stay curious and keep exploring!"

----------------------------------------Dean---------------------------------------------------------


 
 
 

Comments

bottom of page