Please enable JavaScript.
Coggle requires JavaScript to display documents.
Timeline Analysis - Coggle Diagram
Timeline Analysis
Pivot Point
Context Clues
Single artifact
Temporal proximity
(before & after specific event)
Determination
Type of File
Activity
Name of File
Process Activity
Network Activity
Time of Incident
Filesystem
Timestamp
A - file last accessed
C - MFT record last modified
M - file last modified
B - file created
Triage
MFTECmd - MFT
fls - filename & metadata
mactime
Super Timelines
Plaso (backend)
Parser
Windows Parsers (win_gen,winxp,win7)
Registry (winreg)
Webhistory (webhist)
Linux/Android/Mac
Log2timeline
triage Image
Raw Image
EWF Image
Physical Device (inc F-Response) - /dev/sdd
Volume via Sector offset
Triage Folder
Targeted
Parsers
Filter
pinfo.py
plaso.dump
psort.py
Triage
Process Analysis
Timeline Scope -> Narrow Pivot Point -> Best Process -> Filter -> Analyze