Timeline Analysis & Log Forensics

A super timeline correlates timestamps from dozens of artifact types into a single chronological view — turning scattered evidence into a clear narrative of attacker activity.

    Core principle: No single log or artifact tells the full story. Timeline analysis is about correlation — anchoring on a known malicious event, then expanding outward to reconstruct what happened before and after. Plaso ingests everything; psort filters it to your window; Timeline Explorer makes it searchable.
  

Timeline Analysis Methodology

Define the Incident Timeframe

Identify an approximate window — alert timestamp, known outage, customer report. Even a rough window (±48 hours) focuses collection and reduces noise dramatically.

Start wide; narrow as you find anchor events

Acquire All Artifacts

Disk image, memory dump, event logs (.evtx), registry hives, browser data, network logs, server logs. Collect in order of volatility — memory first, then disk.

Don't forget SIEM exports, firewall logs, and EDR telemetry

Build the Super Timeline with log2timeline

Run log2timeline.py against the disk image or artifact directory. Plaso will parse hundreds of artifact types and output a storage file (.plaso).

log2timeline.py --parsers all plaso.dump image.dd

Filter to the Incident Window with psort

psort.py filters the Plaso storage file by date range and outputs to CSV, JSON, or other formats for analysis tools. Reduces millions of entries to thousands.

psort.py -o l2tcsv plaso.dump "date > '2025-03-01' AND date < '2025-03-07'"

Identify Anchor Events

Find a confirmed malicious event (successful logon from attacker IP, malware execution in Prefetch, C2 in network logs). This is your reference point for the rest of the investigation.

Anchors let you pivot: "what happened 5 minutes before this?"

Expand and Correlate

Use Timeline Explorer to search, filter by artifact type, and cross-reference. Look for clusters of activity — reconnaissance bursts, lateral movement sequences, exfiltration windows.

Filter by directory path, username, or process to remove noise

Reconstruct and Document

Build the attacker narrative in chronological order. Every claim must be supported by at least one artifact with a timestamp. Document artifact source, timestamp, and what it proves.

Corroborate each event across two or more independent artifact types where possible

Attack Phase Timeline — Artifact Correlation

🎯

Initial Access

IIS/Apache log: POST to vulnerable endpoint (200 OK), phishing link click in browser history, external logon in VPN/firewall logs

IIS sc-status=200 + cs-method=POST | Browser: downloads table | Auth: 4624 Type 3 from external IP

⚡

Execution

Prefetch file created for malware, 4688 shows cmd.exe/powershell.exe with suspicious command line, Sysmon 1 records full command line + parent + hash

4688 (process create) | Sysmon 1 (process create + hash) | Prefetch: malware-[HASH].pf | Amcache entry

🔍

Discovery / Enumeration

Burst of 4688 events for recon tools (whoami, net user, ipconfig, nltest), $USNJrnl shows recon tool files written, Sysmon 3 shows DNS queries and net connections

4688 cluster: whoami/net/ipconfig/systeminfo | Sysmon 22 (DNS query) | Sysmon 3 (network connect)

🔑

Credential Access

Sysmon 10 (process access to lsass.exe), 4688 for lsass dump tool (ProcDump, Task Manager), $USNJrnl shows dump file creation, mimikatz Prefetch

Sysmon 10 (lsass access) | 4688 (procdump.exe or comsvcs.dll rundll32) | $USNJrnl: lsass.dmp created

↔️

Lateral Movement

4648 (explicit credentials), 4624 Type 3 (network logon) on target systems, Sysmon 3 (SMB/WMI/WinRM connections), 7045 or scheduled task on target

4648 (source) | 4624 Type 3 (target) | Sysmon 3 (network connection to 445/5985/135) | 4698 or 7045 on target

🔒

Persistence

4698/4702 (scheduled task), 7045 (service installed), Registry Run key modification (Sysmon 12/13), LNK file in Startup folder, $USNJrnl shows new files in startup paths

4698 (scheduled task created) | 7045 (new service) | Sysmon 12/13 (registry modification) | Run key in NTUSER.DAT

📤

Exfiltration & Anti-Forensics

Large outbound transfers in firewall/proxy logs, $USNJrnl shows archive creation (.zip/.rar), 1102/104 (logs cleared), Sysmon 23 (file deleted), timestomping detected via $SI vs $FN

1102 (Security log cleared) | 104 (System log cleared) | Sysmon 2 (file time changed = timestomping) | $USNJrnl: archive file creation/deletion

Super Timeline — Plaso & log2timeline

The super timeline aggregates timestamps from hundreds of artifact types into a single chronological view. Plaso is the parsing engine; log2timeline is the command-line interface; psort filters and formats output.

    Workflow: log2timeline.py (create .plaso storage) → psort.py (filter to time window, output CSV/JSON) → Timeline Explorer (GUI analysis, search, filter). The .plaso file is the master database — run psort multiple times with different filters without re-parsing.
  

log2timeline.py

Plaso — Timeline Creation Engine

Parses disk images, directories, or individual artifacts. Extracts timestamps from hundreds of artifact types into a Plaso storage file (.plaso). Run once; query many times.

log2timeline.py --parsers all plaso.dump /image.dd

log2timeline.py --parsers win_evtx,mft,prefetch plaso.dump /mnt/

psort.py

Plaso — Filter & Format

Reads the .plaso storage file, applies date/keyword filters, and outputs in various formats (l2tcsv, JSON, dynamic). Produces the filtered timeline CSV for analysis.

psort.py -o l2tcsv plaso.dump "date > '2025-03-01 00:00:00' AND date < '2025-03-07 23:59:59'" -w timeline.csv

Timeline Explorer

Eric Zimmermann — GUI Analysis

Load the CSV from psort for interactive analysis. Supports free-text search, column filtering, bookmarking, color coding, and exporting subsets. The preferred GCFA analyst tool.

Load CSV → Filter by keyword (e.g., "powershell", "mimikatz") → Filter by source type → Bookmark suspicious entries → Export findings

Plaso Artifact Parsers by Category

Windows System

win_evtx — Event logs mft — $MFT timestamps usnjrnl — $USNJrnl changes prefetch — Prefetch files winreg — Registry hives winreg_default — Default hive

Windows User Activity

lnk — LNK shell links custom_destinations — Jump Lists automatic_destinations — Jump Lists recycle_bin — Recycle Bin $I files thumbsdb — Thumbs.db winjob — Scheduled tasks (.job)

Browser History

chrome_history — Chrome/Edge chrome_preferences — Settings firefox_history — Firefox firefox_cookies — Cookies safari_history — Safari opera_history — Opera

Linux/Unix

syslog — System messages utmp — Login records bash_history — Shell history cron — Cron job logs dpkg — Package installs rpm — RPM installs

Web Server Logs

iis — IIS W3C format apache_access — Apache combined nginx_access — Nginx logs iis_log — IIS binary logs

Database / Email

sqlite — Generic SQLite DBs olecf — OLE compound files plist — macOS plists bencode — BitTorrent esedb — Exchange/IE

$MFT & $USNJrnl in the Timeline

Artifact	What It Contributes to the Timeline	Key Forensic Use
$MFT — $SI timestamps	Modified, Accessed, Changed, Created for every file (user-visible)	File system activity; timestomping target (can be backdated)
$MFT — $FN timestamps	Kernel-set creation, modification timestamps	Compare to $SI — discrepancy reveals timestomping
$USNJrnl	Sequence-numbered record of every file operation: create, write, rename, delete, security change	Proves files existed even after deletion; file operation sequencing
$I30 (Directory Index)	B-Tree entries for files in each directory	Slack space may reveal deleted files that aren't in $MFT unallocated entries
Timestomping in Timeline	$SI Created timestamp predates $FN Created timestamp for the same file	Definitive anti-forensics indicator — $FN is harder to fake

Timestomped File (Suspicious)

Normal File (Clean)

$STANDARD_INFORMATION Created

2019-06-15 08:00:00 UTC ← backdated by attacker

2025-03-04 14:22:11 UTC ← matches reality

$FILE_NAME Created

2025-03-04 14:22:11 UTC ← kernel-set, truthful

2025-03-04 14:22:11 UTC ← matches $SI

$USNJrnl First Entry

2025-03-04 14:22:09 UTC ← proves actual creation date

2025-03-04 14:22:09 UTC ← consistent with all timestamps

Verdict

🚨 TIMESTOMPED — SI precedes FN and USNJrnl

✅ CLEAN — all timestamps consistent

Sysmon & Windows Event Log Correlation

Sysmon (System Monitor) dramatically enriches Windows logging — adding process hashes, command lines, network connections, and injection detection that standard event logs miss.

    Sysmon exam priority: Know Event 1 (process create + hash), Event 2 (file time changed = timestomping), Event 3 (network connection), Event 8 (CreateRemoteThread = injection), Event 10 (ProcessAccess = credential theft from lsass), and Event 22 (DNS query). These five cover the majority of GCFA Sysmon questions.
  

Sysmon Event IDs — Complete Reference

Microsoft-Windows-Sysmon/Operational

Event 1HIGH

Process Created — includes image path, command line, parent, user, hashes (MD5/SHA256/IMPHASH), and integrity level

Event 2HIGH

File Creation Time Changed — a process modified a file's timestamp; direct indicator of timestomping

Event 3HIGH

Network Connection — process name, source/dest IP:port, protocol; reveals C2 beaconing and lateral movement

Event 4

Sysmon service state changed (running/stopped)

Event 5

Process Terminated — useful for calculating process lifetime and detecting short-lived recon tools

Event 6

Driver Loaded — kernel driver installation; rootkit and bootkits load drivers

Event 7

Image (DLL) Loaded — shows DLL path, hash, and whether signed; catch unsigned/unexpected DLLs

Event 8HIGH

CreateRemoteThread — a process created a thread in another process; core step in DLL injection and thread hijacking

Event 9

RawAccessRead — process reading raw disk sectors (bypassing file system); common in credential dumping tools

Event 10HIGH

ProcessAccess — one process opened a handle to another; lsass.exe as target = credential theft (Mimikatz, ProcDump)

Event 11

FileCreate — file created or overwritten; useful for tracking malware drops, lateral tool transfers

Event 12/13/14

Registry Key/Value Created, Modified, Deleted — tracks persistence via Run keys, service installation, and configuration changes

Event 15

FileCreateStreamHash — Alternate Data Stream created; reveals ADS-based hiding and Zone.Identifier (Mark of the Web)

Event 17/18

Pipe Created / Pipe Connected — named pipe activity; Cobalt Strike and Metasploit use named pipes for lateral movement and C2

Event 22HIGH

DNS Query — process name, queried hostname, response; catch C2 domain lookups and DNS-based C2

Event 23

File Delete Archived — file deleted; Sysmon can optionally archive the deleted file; attacker anti-forensics detection

Event 25

Process Tampering — process image change (hollowing, doppelgänging); added in Sysmon v13

RDP Forensics — Multiple Log Sources

Security.evtx

4624 Logon Type 10 — Remote Interactive (RDP logon success)
4634/4647 Logoff — session end
4648 Explicit credentials — pass-the-hash / runas via RDP
4778/4779 Session reconnected / disconnected

Microsoft-Windows-TerminalServices-LocalSessionManager/Operational

Event 21 Session logon succeeded — user + session ID + source IP
Event 22 Shell start notification — desktop loaded
Event 23 Session logoff succeeded
Event 24 Session disconnected — RDP disconnect without logoff
Event 25 Session reconnected — resuming a disconnected session

Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational

Event 1149 User authentication succeeded — logged BEFORE full logon; no credentials required to generate this event; records source IP
Event 261 Listener received a connection

Microsoft-Windows-TerminalServices-RDPClient/Operational

Event 1024 RDP client connecting to server — logged on the SOURCE machine (who connected outbound)
Event 1102 Connection error / failure
These events show which systems THIS machine connected TO via RDP

Additional RDP Artifacts

Prefetch: mstsc.exe — RDP client execution evidence
Registry: HKCU\Software\Microsoft\Terminal Server Client\Servers — servers connected to
Registry: HKCU\...\Default — last RDP server username
Jump Lists: mstsc.exe AppID — recently connected servers
Bitmap cache: %APPDATA%\Microsoft\Terminal Server Client\Cache\

RDP Logon Sequence in Timeline

1. RemoteConnectionManager Event 1149 — connection attempt recorded
2. Security Event 4624 (Type 10) — full authentication
3. LocalSessionManager Event 21 — session created
4. LocalSessionManager Event 24 — disconnect (not logoff)
5. LocalSessionManager Event 25 — reconnect to existing session

Windows Event Log Correlation — Key Pairs & Sequences

Scenario	Event Sequence	What It Proves
Brute force → success	4625 × N → 4624 same account/source	Attacker guessed password after multiple failures
Pass-the-Hash	4624 Type 3 + Logon Process = NtLmSsp + No MFA event	NTLM hash used directly, no password; lateral movement
Credential theft	4688 (procdump/taskmgr) + Sysmon 10 (lsass access) + 4656 (handle to lsass)	Attacker dumped LSASS memory for credentials
Lateral movement via PsExec	4648 (explicit creds) → 4624 Type 3 on target → 7045 (PSEXESVC service) on target	PsExec execution path; target system shows new service
Scheduled task persistence	4698 (task created) → 4702 (task updated) → 4688 matching task binary at scheduled time	Persistence via scheduled task; execution confirmed by process event
Log clearing	1102 (Security log cleared) + 104 (System log cleared)	Attacker covering tracks; check for adjacent artifacts in other logs
Account creation for persistence	4720 (account created) → 4728/4732 (added to group) → 4624 (new account logon)	Attacker created backdoor account; group addition reveals privilege level

Web Server & Linux Log Forensics

Web server logs record every HTTP request — revealing exploit attempts, web shell usage, and data exfiltration. Linux logs provide authentication, process, and system activity evidence when Windows artifacts are absent.

    Key web forensics pattern: A POST request to an unusual path (e.g., an image directory, an upload folder) returning HTTP 200 is the primary indicator of web shell upload. Follow-up requests with short URLs to that same path with unusual query strings (cmd, exec, whoami) confirm execution.
  

IIS W3C Log Format — Field Reference

date / time

UTC timestamp of the request — always normalize timezone before timeline correlation

c-ip

Client IP address — attacker's IP or proxy/TOR exit node

cs-method

HTTP method: GET (read), POST (write/submit), PUT, DELETE. POST to upload paths = web shell risk

cs-uri-stem

Requested path (e.g., /images/shell.aspx). Unusual extensions (.aspx/.php in static dirs) or hidden paths are IOCs

cs-uri-query

Query string parameters. Shell commands often appear here: ?cmd=whoami, ?exec=net+user

sc-status

HTTP response code. 200=success, 404=not found, 500=server error. POST+200 to odd path = web shell upload success

sc-bytes

Bytes sent from server to client. Large sc-bytes on unusual paths = possible data exfiltration

cs-bytes

Bytes received from client. Large cs-bytes on POST = large upload (tool staging, data exfil payload)

time-taken

Response time in milliseconds. Very long responses may indicate heavy processing (credential cracking, large file operations)

cs(User-Agent)

Browser/tool string. Curl, Python requests, sqlmap, Metasploit — tools leave distinctive user-agent strings

Web Attack Signatures in Logs

Attack Type	Log Signature	Key Indicators
Web Shell Upload	POST /uploads/shell.aspx HTTP/1.1 200	POST + 200 to unusual path; subsequent GET with cmd parameter
Web Shell Execution	GET /images/a.php?cmd=whoami 200	GET to uploaded file + cmd/exec/pass in query string; small sc-bytes (cmd output)
SQL Injection	GET /search?id=1'+OR+'1'='1 500	SQL keywords in uri-query; mix of 200/500 responses (probing); sqlmap user-agent
Directory Traversal	GET /../../../etc/passwd 200 or 404	../ sequences in uri-stem; URL-encoded variations (%2e%2e%2f)
Brute Force / Scanning	High rate of 404/401 from single IP	Burst of requests to same path; sequential paths (/admin, /login, /wp-admin); uniform User-Agent
Data Exfiltration	Large sc-bytes on unusual path GET requests	High sc-bytes to attacker IP; repeated requests to same resource; off-hours activity

Linux Log Forensics

/var/log/auth.log
(Debian/Ubuntu)
/var/log/secure
(RHEL/CentOS)

grep "Failed password\|Accepted password\|sudo" /var/log/auth.log

Primary Linux authentication log. Records: SSH logon success/failure (with source IP), sudo commands (who ran what as root), su switches, PAM authentication events. Most important Linux log for intrusion investigation.

/var/log/wtmp

last -f /var/log/wtmp | head -50

Binary file recording all user logins, logouts, and system reboots. Parsed with the last command. Shows username, terminal, source IP (for SSH), login and logout times, and duration. Survives log rotation.

/var/log/btmp

lastb -f /var/log/btmp | head -50

Binary file recording FAILED login attempts. Parsed with lastb. A burst of entries from one IP = brute force. Missing or empty btmp may indicate log clearing. Complement to wtmp for full authentication picture.

/var/log/lastlog

lastlog | grep -v "Never logged"

Sparse binary file recording the most recent login per user account. Parsed with lastlog. Useful for identifying dormant accounts that suddenly logged in — backdoor accounts or compromised service accounts.

~/.bash_history

Command history file — records commands typed in bash. May be truncated, cleared (HISTSIZE=0), or redirected to /dev/null by attackers. Check /proc/<PID>/fd/ for in-memory history on live systems. Root history at /root/.bash_history.

/var/log/audit/audit.log

ausearch -m execve -ts today | aureport --execute

auditd audit log — the most detailed Linux activity log if configured. Records: system calls (execve, open, connect), file access by UID/PID, network connections, privilege escalation. Must be configured explicitly — not enabled by default on most distributions.

/var/log/cron
/var/spool/cron/

crontab -l -u root; cat /etc/cron.d/*

Cron job execution logs and crontab files. Attackers add cron persistence entries for scheduled callbacks. Check /var/spool/cron/crontabs/ for per-user crontabs and /etc/cron.d/, /etc/cron.daily/, etc. for system-wide jobs.

/proc/ filesystem

ls -la /proc/$(pgrep suspicious)/fd/; cat /proc/$(pgrep suspicious)/cmdline

Live system pseudo-filesystem. /proc/<PID>/cmdline: full command line of running process. /proc/<PID>/exe: symlink to executable (may show "deleted" for fileless malware). /proc/<PID>/net/tcp: process network connections. Only available on live systems.

Linux Persistence Mechanisms to Check in Logs

Persistence Method	Location / Log Evidence	Detection
Cron job	/var/spool/cron/, /etc/cron.*, /etc/crontab	Check for unusual commands, URLs (wget/curl), base64-encoded payloads
SSH authorized_keys	~/.ssh/authorized_keys	Attacker adds their public key for passwordless SSH; check modification timestamp vs account creation
Systemd service	/etc/systemd/system/*.service; journalctl -u servicename	New .service file with ExecStart pointing to malicious binary
LD_PRELOAD hijack	/etc/ld.so.preload; LD_PRELOAD env var	Malicious shared library loaded before all others — can hide processes, files, network connections
SUID binary	find / -perm -u=s -type f	New SUID binaries or modified existing ones grant root shell without sudo
~/.bashrc / ~/.profile	User shell initialization files	Persistent commands executed on every login; reverse shell payloads, alias hiding commands

Practice Quiz

Ten GCFA-style questions on timeline analysis and log forensics. Select your answers and submit to see your score.

Question 1 of 10

Which tool creates a super timeline by parsing multiple artifact types from a disk image into a single Plaso storage file?

Timeline Explorer

MFTECmd

log2timeline.py (Plaso)

psort.py

log2timeline.py is the Plaso command-line tool that ingests a disk image (or directory) and parses hundreds of artifact types to produce a .plaso storage file. psort.py then filters and formats that storage file. Timeline Explorer provides the GUI for analysis. MFTECmd specifically parses $MFT and $USNJrnl, not a general super timeline creator.

Question 2 of 10

Sysmon Event ID 2 is forensically significant because it directly indicates:

A new process was created with full command line arguments recorded

A network connection was established from a process to a remote host

A file's creation time was changed — a direct indicator of timestomping

A DLL was loaded into a process's address space

Sysmon Event ID 2 (FileCreateTimeChanged) records when a process modifies a file's timestamp using the SetFileTime() API — the exact mechanism used for timestomping. It records the original timestamp, the new (falsified) timestamp, the process that made the change, and the target file path. This makes Sysmon Event 2 the most direct anti-forensics detection event in the log.

Question 3 of 10

Which Sysmon Event ID most directly indicates a potential credential theft attempt targeting lsass.exe?

Event 1 (Process Create)

Event 3 (Network Connection)

Event 8 (CreateRemoteThread)

Event 10 (ProcessAccess)

Sysmon Event 10 (ProcessAccess) fires when one process opens a handle to another. When lsass.exe is the target process, this is the primary indicator of credential theft — Mimikatz, ProcDump, and Task Manager all generate this event when reading lsass memory. The event records the source process, target process, and access mask requested. Event 8 (CreateRemoteThread) is for injection detection, not credential theft.

Question 4 of 10

In IIS W3C log format, which combination most strongly suggests a successful web shell upload followed by execution?

GET /admin/login.aspx — sc-status 200

POST /images/upload — sc-status 404

POST /uploads/shell.aspx — sc-status 200, then GET /uploads/shell.aspx?cmd=whoami — sc-status 200

GET /index.html — sc-status 302

The web shell upload/execution pattern has two stages: (1) POST to an unusual path (like /uploads/ or /images/) returning 200 OK — the upload succeeded. (2) Subsequent GET to that same path with a command parameter (cmd=whoami, exec=dir) returning 200 — the shell executed the command. The 404 in option B means the upload failed. GET requests don't upload files. The 302 redirect in D is a normal navigation response.

Question 5 of 10

In NTFS timeline analysis, what does it mean when a file's $STANDARD_INFORMATION Created timestamp is earlier than its $FILE_NAME Created timestamp?

The file was compressed after creation, updating only the FN timestamp

The file was accessed from a network share which updated only SI timestamps

Timestomping — the SI timestamps were backdated using SetFileTime(); FN timestamps reflect the true creation time

Normal behavior — SI timestamps are always set before FN timestamps during file creation

When $STANDARD_INFORMATION (SI) timestamps are earlier than $FILE_NAME (FN) timestamps, it indicates timestomping. Attackers use SetFileTime() to backdate SI timestamps (which tools like Explorer display) to make files appear older. FN timestamps are set by the kernel and are much harder to modify — they reflect the true creation time. Legitimate files always have SI timestamps ≥ FN timestamps because FN is set first during file creation.

Question 6 of 10

Which Linux log file records successful and failed SSH authentication events and sudo command usage, making it the primary source for Linux authentication forensics?

/var/log/wtmp

/var/log/auth.log (Debian/Ubuntu) or /var/log/secure (RHEL/CentOS)

/var/log/syslog

/var/log/lastlog

auth.log (Debian/Ubuntu) and secure (RHEL/CentOS) are the primary Linux authentication logs — they record SSH logon success and failures (with source IP), sudo commands (who ran what as which user), su switches, and PAM authentication events. wtmp records login sessions (binary, read with 'last') but not sudo. syslog is a general system log. lastlog shows only the most recent login per user, not full history.

Question 7 of 10

The psort.py tool in the Plaso framework is used to:

Create a memory image from a live Windows system

Parse the $MFT and output MACE timestamps to a CSV

Filter, sort, and format the output from a Plaso storage file into a readable timeline

Correlate Windows Event Log IDs across multiple machines in a SIEM

psort.py reads a .plaso storage file (created by log2timeline.py), applies date range and keyword filters, and outputs the results in formats like l2tcsv, JSON, or xlsx. This is the filtering and formatting step in the Plaso workflow. MFTECmd handles $MFT parsing specifically. log2timeline creates the .plaso storage file. psort never touches memory images or Windows Event Logs directly.

Question 8 of 10

Windows Event ID 1149 in the TerminalServices-RemoteConnectionManager log is notable because:

It records every failed RDP authentication attempt with source IP

It only appears when an RDP session disconnects abnormally

It records user authentication success and source IP even before full logon — visible even when Network Level Authentication is not used

It is only generated on Windows Server systems, not workstations

Event 1149 records that a user's RDP authentication succeeded at the network level, including the username and source IP — importantly, it is logged even without full session creation. This means an attacker probing RDP (even if they disconnect before completing logon) still leaves a 1149 record. It appears earlier in the logon sequence than Security Event 4624, making it useful for capturing connections that might not complete full authentication.

Question 9 of 10

An analyst finds in the $USNJrnl a CLOSE record for a file at 14:35 UTC, but the file's $STANDARD_INFORMATION Created timestamp shows January 2019. The most likely explanation is:

The file was genuinely created in January 2019 and recently accessed

The $USNJrnl record indicates disk corruption affecting the data

Timestomping — the file was created at 14:35 UTC today, but the SI Created timestamp was backdated to 2019

The file was restored from a 2019 backup into the current volume

The $USNJrnl CLOSE record at 14:35 UTC proves the file was active at that time — it was written and closed. A $SI Created timestamp of 2019 when the USN journal proves activity in the present is the classic timestomping signature. The $USNJrnl begins when the volume was created or the journal was cleared, so the presence of a recent USN record for a "2019" file is a direct contradiction that reveals the manipulation.

Question 10 of 10

Which Sysmon Event ID records the creation of a remote thread in another process — the Windows API step at the core of DLL injection and thread hijacking?

Event 1 (Process Create)

Event 7 (Image Loaded)

Event 8 (CreateRemoteThread)

Event 10 (ProcessAccess)

Sysmon Event 8 (CreateRemoteThread) fires when a process calls CreateRemoteThread() or NtCreateThreadEx() to spawn a thread in another process — the core API for classic DLL injection, thread hijacking, and shellcode injection. It records the source process, target process, and the thread's start address. Event 10 (ProcessAccess) is for handle opening (credential theft); Event 7 is for DLL loading (not the injection API itself).

out of 10 correct

Review the explanations above for any questions you missed.

Memory Hooks

Mnemonics and high-yield patterns for GCFA timeline and log forensics questions.

⏱️

Plaso Workflow

log2timeline → .plaso → psort → CSV → Timeline Explorer. log2timeline creates, psort filters, Timeline Explorer visualizes. Run psort multiple times with different filters — you don't need to re-parse the image each time. The .plaso file is your master database.

"log2timeline builds the haystack; psort finds your needle"

🕵️

Sysmon 5 Must-Knows

1=Process create (hash+cmdline), 2=File time changed (timestomping!), 3=Network connect, 8=CreateRemoteThread (injection), 10=ProcessAccess (lsass theft), 22=DNS query. These six cover 90% of GCFA Sysmon questions.

"1-create, 2-stomp, 3-net, 8-inject, 10-steal, 22-DNS"

🖥️

RDP Log Sources

Four RDP log sources: Security (4624 Type 10), LocalSessionManager (Events 21/23/24/25 = logon/logoff/disconnect/reconnect), RemoteConnectionManager (Event 1149 = pre-auth, includes source IP), RDPClient (Event 1024 = outbound connections from this machine).

"1149 = attacker's footprint without a full logon"

🔀

SI < FN = Stomped

Normal file: $SI Created ≥ $FN Created (FN is set first at kernel level; SI is derived from it). Timestomped file: $SI Created < $FN Created (attacker backdated SI using SetFileTime, but couldn't change FN). The $USNJrnl provides a third timestamp source confirming the actual creation time.

"If SI is Smaller than FN — Someone Stomped it"

📋

IIS Web Shell Pattern

Stage 1 = Upload: POST + unusual path + 200 OK (shell uploaded successfully). Stage 2 = Execute: GET + same path + cmd= in query + 200 OK (shell running commands). Short sc-bytes on GET = command output returned. Large cs-bytes on POST = file upload.

"POST+200 plants it; GET+cmd= runs it"

🐧

Linux Auth Log Trio

auth.log / secure = SSH success/fail + sudo (text, most detail). wtmp = login sessions binary log (read with last). btmp = failed logins binary log (read with lastb). btmp empty or missing = attacker may have cleared it. lastlog = most recent login per user.

"auth.log tells WHY, wtmp tells WHEN, btmp tells WHO failed"

High-Yield Facts for GCFA — Timeline & Log Forensics

Concept	Key Fact	Exam Tip
log2timeline	Creates .plaso file from disk image or directory; parses 100s of artifact types in one pass	psort filters it; Timeline Explorer analyzes it
Sysmon Event 2	File creation time changed — only Sysmon event that directly catches timestomping	Records original + new timestamp + responsible process
Sysmon Event 10	ProcessAccess to lsass.exe = credential theft indicator	Mimikatz, ProcDump, Task Manager all generate this
Sysmon Event 8	CreateRemoteThread = injection indicator	DLL injection, thread hijacking core API step
RDP Event 1149	Pre-auth RDP connection record; logged even without full logon; has source IP	In RemoteConnectionManager log, not Security
RDP Event 21/24/25	LocalSessionManager: 21=logon, 24=disconnect, 25=reconnect	Distinguish disconnect (24) from logoff (23)
IIS POST+200	POST to unusual path + 200 = web shell upload success	Follow with GET + cmd= query for execution confirmation
SI < FN timestamp	$SI Created earlier than $FN Created = timestomping	$USNJrnl first entry corroborates true creation time
auth.log vs wtmp	auth.log = text, SSH+sudo details; wtmp = binary login sessions (last command)	btmp = failed logins (lastb command)
Plaso anchor event	Find one confirmed malicious event → expand outward chronologically	Filter by directory, username, or process to reduce noise

Ready for More Practice?

Test yourself with full-length GCFA practice exams on FlashGenius.

Unlock Full Practice Tests on FlashGenius →

Flashcards

Click any card to flip it and reveal the answer.

Plaso Workflow

What are the three main tools in the Plaso timeline workflow and what does each do?

Click to flip

Answer

log2timeline.py: parses disk image / directory → creates .plaso storage file (run once). psort.py: reads .plaso file, applies date/keyword filters, outputs l2tcsv / JSON (run many times). Timeline Explorer (Eric Zimmermann): GUI tool to load CSV for interactive search, filtering, and bookmarking of the final timeline.

Sysmon Key Events

What do Sysmon Events 1, 2, 8, 10, and 22 each record?

Click to flip

Answer

Event 1: Process created — full command line, parent, hashes (MD5/SHA256/IMPHASH). Event 2: File creation time changed — timestomping detection. Event 8: CreateRemoteThread — process injection indicator. Event 10: ProcessAccess — handle to another process; lsass as target = credential theft. Event 22: DNS query — process + queried hostname.

RDP Log Sources

Name the four RDP log sources and the key Event IDs in each.

Click to flip

Answer

Security.evtx: 4624 Type 10 (RDP logon), 4634 (logoff). LocalSessionManager: 21 (logon), 23 (logoff), 24 (disconnect), 25 (reconnect). RemoteConnectionManager: 1149 (pre-auth, source IP, even without full logon). RDPClient/Operational: 1024 (outbound RDP connection from THIS machine to another server).

Timestomping Detection

How do you detect timestomping in a timeline, and what three sources confirm the true creation time?

Click to flip

Answer

Detection rule: $SI Created < $FN Created → timestomping (attacker backdated SI via SetFileTime; FN is kernel-set and harder to change). Three sources for true creation time: (1) $FN timestamp, (2) $USNJrnl — first entry for the file (CREATE record), (3) Sysmon Event 2 — logs original timestamp before the change was made.

IIS Log Web Shell

What IIS W3C log pattern indicates a web shell upload followed by execution?

Click to flip

Answer

Upload: cs-method=POST, cs-uri-stem=/unusual/path/shell.aspx, sc-status=200. Execution: cs-method=GET, same uri-stem, cs-uri-query=cmd=whoami (or similar), sc-status=200. Key fields: c-ip (attacker), cs(User-Agent) (tool fingerprint), sc-bytes (small for command output), cs-bytes (large for upload). Also check for non-standard user-agent strings (curl, python-requests).

Linux Auth Logs

What are the differences between auth.log, wtmp, btmp, and lastlog?

Click to flip

Answer

auth.log (/var/log/secure on RHEL): text log of SSH success/fail + sudo commands — most detail. wtmp: binary login session record — read with 'last'; records logon/logoff/reboot. btmp: binary failed login record — read with 'lastb'; brute force detection. lastlog: most recent login only per user — read with 'lastlog'; useful for spotting dormant accounts that suddenly logged in.

Attack Phase Artifacts

For lateral movement via PsExec, what event sequence appears across source and target systems?

Click to flip

Answer

Source system: Event 4648 (logon with explicit credentials — the stolen account used). Network: SMB connection on port 445. Target system: Event 4624 Type 3 (network logon from source IP), Event 7045 (new service installed: PSEXESVC), Event 4688 (cmd.exe / payload launched under PSEXESVC parent). Also: PsExec Prefetch on source, PSEXESVC Prefetch on target.

Timeline Methodology

What are the 7 steps of the timeline analysis methodology?

Click to flip

Answer

1) Define incident timeframe (approximate window). 2) Acquire all artifacts (disk, memory, logs). 3) Create super timeline with log2timeline. 4) Filter to incident window with psort. 5) Identify anchor events (confirmed malicious activity). 6) Expand and correlate around anchors. 7) Reconstruct and document — every claim must have a timestamped artifact source. Corroborate across two or more independent artifact types.

Study Advisor

Choose a category for targeted guidance.

📌 Exam Strategy

⚠️ Common Mistakes

⚡ Quick Review

🔬 Deep Dive

🎯 Practice Tips

Exam Strategy — Timeline & Log Forensics

Sysmon Event 2 is unique: No other standard Windows log records timestomping. If a GCFA question asks how to detect file time manipulation in logs, the answer is Sysmon Event 2 (FileCreateTimeChanged).
RDP Evidence 1149 is pre-auth: Unlike 4624, Event 1149 appears in the RemoteConnectionManager log and is generated even before full authentication completes. Questions about early-stage RDP evidence or RDP from an IP with no corresponding Security log entry often hinge on this event.
Know your Plaso tool roles: log2timeline creates, psort filters, Timeline Explorer analyzes. Questions may describe a step and ask which tool. The .plaso file is the bridge between creation and filtering.
IIS log field abbreviations: cs- = client-to-server (what the client sent), sc- = server-to-client (what the server returned), c- = client attribute, s- = server attribute. Knowing this decodes any W3C field name instantly.
Timestomping SI vs FN: The rule is always the same — SI earlier than FN is suspicious; $USNJrnl and Sysmon 2 provide the true creation time. This appears in multiple GCFA question formats.

Common Mistakes — Timeline & Log Forensics

Confusing psort and log2timeline roles: log2timeline creates the .plaso file (parsing); psort only reads and filters it (output). You cannot use psort against a raw disk image. Run log2timeline first.
Missing RDP Event 1149 location: Event 1149 is in the TerminalServices-RemoteConnectionManager log, NOT Security.evtx. Many analysts only check Security and miss pre-auth connection evidence.
Confusing RDP disconnect (24) and logoff (23): Event 24 = session disconnected (session preserved, user can reconnect with Event 25). Event 23 = session fully terminated. Attackers often disconnect without logging off to preserve their session.
Assuming SI > FN is always legitimate: While SI < FN is definitely suspicious, SI = FN is normal. The key test is SI EARLIER than FN, which is physically impossible in a clean system (FN is set first during file creation).
Ignoring cs-uri-query in IIS logs: Web shell execution evidence is in cs-uri-query, not just cs-uri-stem. A GET to shell.aspx without a query string is just a request. GET to shell.aspx?cmd=whoami is execution evidence. Always parse both fields.
Treating bash_history as reliable: Attackers commonly clear bash history (HISTSIZE=0, unset HISTFILE, rm .bash_history). The absence of history should be noted as suspicious itself. Check /proc/PID/fd for in-memory history on live systems.

Quick Review — Timeline & Log Forensics

log2timeline.py: Create .plaso storage file from disk image
psort.py: Filter .plaso by date/keyword → CSV/JSON
Timeline Explorer: GUI analysis of psort CSV output
Sysmon 1: Process create + hash + cmdline + parent
Sysmon 2: File time changed = timestomping detection
Sysmon 8: CreateRemoteThread = injection indicator
Sysmon 10: ProcessAccess to lsass = credential theft
Sysmon 22: DNS query with process attribution
RDP 1149: Pre-auth connection record with source IP (RemoteConnectionManager)
RDP 21/24/25: Logon / disconnect / reconnect (LocalSessionManager)
IIS POST+200: Web shell upload success
IIS GET+cmd+200: Web shell execution confirmation
SI < FN: Timestomping; USNJrnl + Sysmon 2 = true creation time
auth.log: SSH + sudo text log (primary Linux auth source)
wtmp / btmp: Binary login / failed login (last / lastb commands)

Deep Dive — Advanced Timeline Concepts

IMPHASH in Sysmon Event 1: Import Hash — computed from the DLL import table of a PE file. Unlike file hash, IMPHASH is similar across malware families that use the same framework (e.g., all Metasploit payloads have related IMPHASHes). Useful for clustering related malware samples even when the file content differs.
Plaso bodyfile format and mactime: An alternative to l2tcsv; Plaso can output MACB bodyfile format readable by mactime (from The Sleuth Kit). This enables timeline generation at the command line without Timeline Explorer. Format: MD5|name|inode|mode_as_string|UID|GID|size|atime|mtime|ctime|crtime.
$USNJrnl reason codes in timeline: Each USN record has a Reason field: FILE_CREATE, DATA_EXTEND, DATA_TRUNCATION, FILE_DELETE, RENAME_OLD_NAME, RENAME_NEW_NAME, SECURITY_CHANGE, CLOSE. Combining reason codes reveals full file lifecycle — create → write → close → delete — even after the file is gone.
Sysmon Event 25 (Process Tampering): Added in Sysmon v13, Event 25 fires when a process image changes at runtime — this is specifically designed to detect process hollowing and doppelgänging, which were difficult to catch with earlier Sysmon versions. It records the process, image path, and type of tampering detected.
Named pipe forensics (Sysmon 17/18): Cobalt Strike's default communication uses named pipes (\\.\pipe\MSSE-[hex]-server). Sysmon 17/18 records pipe creation and connection with the process name. Matching known C2 framework pipe name patterns is a high-fidelity detection method that appears in advanced GCFA scenarios.
Log correlation across systems: For lateral movement detection, timestamps on the source and target systems must be correlated. Time skew between systems (even seconds) can cause apparent timeline inconsistencies. Always normalize to UTC and check NTP sync status (System event 37 = time sync, 36 = error) before drawing conclusions from cross-system event ordering.

Practice Tips — Timeline & Log Forensics

Build Plaso from scratch: Install Plaso in a VM, grab a sample forensic image (from DFIR.training or CFReDS), and run the full workflow: log2timeline → psort → Timeline Explorer. Seeing real output internalizes the tool roles far better than reading.
Sysmon event ID drill: Write Event ID numbers on one side of cards; event name and forensic significance on the other. Drill until you can go from number → meaning and meaning → number for the top 12 events. This is tested directly.
RDP log sequence practice: Draw the timeline of a complete RDP session (1149 → 4624 → 21 → 24 → 25 → 23 → 4634) and know which log each event appears in. GCFA scenarios often present partial sequences and ask you to identify the gap.
IIS log analysis with grep/Python: Practice parsing IIS logs with simple grep or Python pandas to find POST+200 patterns, identify unique client IPs, and extract all requests to specific paths. Speed matters under exam conditions.
DFIR.training CTF challenges: Several free CTF challenges at DFIR.training are timeline-focused and use real Plaso/log2timeline output. Completing these builds the pattern recognition needed for GCFA scenario questions.
Linux log practice on a VM: Set up a Linux VM with auditd and Syslog, then run an SSH brute force against it from another VM. Analyze auth.log, wtmp, and btmp to see exactly what each records. Understanding the difference from actual log output is more durable than memorizing from text.