Analysis: Situational Awareness + Timelines

I’ve talked and written about timelines as an analysis process for some time, in both this blog and in my books, because I’ve seen time and again over the years the incredible value in approaching an investigation by developing a timeline (including mini- and micro-timelines, and overlays), rather than leaving the timeline as something to be manually created in a spreadsheet after everything else is done.

Now, I know timelines can be “messy”, in part because there’s a LOT of activity that goes on on a system, even when it’s “idle”, such as Windows and application updates. This content can “muck up” a timeline and make it difficult to distill the malicious activity, particularly when discerning that malicious activity is predicated solely on the breadth of the analyst’s knowledge and experience. Going back to my early days of “doing” IR, I remember sitting at an XP machine, opening the Task Manager, and seeing that third copy of svchost.exe running. I’d immediately drill in on that item, and the IT admin would be asking me, “…what were you looking at??” The same is true when it comes to timelines…there are going to be things that will immediately jump out to one analyst, were another analyst may not have experienced the same thing, and not developed the knowledge that this particular event was “malicious”, or at least suspicious.

As such, one of the approaches I’ve used and advocated is to develop situational awareness via the use of mini- or micro-timelines, or overlays. A great example of this approach can be seen in the first IronMan movie, when Tony’s stuck in the cave and in order to hide the fact that he’s building his first suit of armor

[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.

This article has been indexed from Windows Incident Response

Read the original article: