Timeline analysis

Timeline formats

• body file
• L2T CSV
• mactime
• TLN

Bibliography

Articles / Blogposts

• Targeted timelines - Part I, by Kristinn Guðjónsson, February 22, 2013
• Let's talk about time, by Alexander Jäger, June 04, 2021
• Pearls and pitfalls of timeline analysis, by Joachim Metz, October 20, 2021

Papers

• Generating computer forensic supertimelines under Linux - A comprehensive guide for Windows-based disk images, by R. Carbone, C. Bean, August 2012
• Generating computer forensic supertimelines under Linux: A comprehensive guide for Windows-based disk images, October 2011
• Computer forensic timeline visualization tool, by J. Olsson, M. Boldt, ScienceDirect Digital Investigation, Volume 6, September 2009
• Analysis of Time Information for Digital Investigation, by Jewan Bang, BY Yoo, JS Kim, SJ Lee, NCM 2009, 5th International Joint Conference on INC, IMS, IDC, August 2009
• A Model Based Approach to Timestamp Evidence Interpretation, by S. Willassen, International Journal of Digital Crime and Forensics, 1:2, 2009
• Digital Evidence with an Emphasis on Time, by Olsson, Jens Master's Thesis, Blekinge Institute of Technology, September 2008.
• The Use of File Timestamps in Digital Forensics, by R. Koen, M. Olivier, ISSA 2008, Johannesburg, South Africa, July 2008
• Methods for Enhancement of Timestamp Evidence in Digital Investigations, by S. Willassen, PhD Dissertation, Norwegian University of Science and Technology, 2008
• Finding Evidence of Antedating in Digital Investigations, by S. Willassen, ARES 2008, Barcelona, Spain, March 2008
• Hypothesis Based Investigation of Digital Timestamp, by S. Willassen, January 2008
• Timestamp Evidence Correlation by model based clock hypothesis testing, by S. Willassen, January 2008
• An Improved Clock Model for Translating Timestamps, by F. Buchholz
• A brief study of time, by F. Buchholz, B. Tjaden, Digital Investigation 2007:4S
• The Rules of Time on NTFS File System, by K. Chow, F. Law, M. Kwan, P. Lai, 2nd International Workshop on Systematic Approaches to Digital Forensic Engineering, Seattle, Washington, April 2007
• A correlation method for establishing provenance of timestamps in digital evidence, by B. Schatz, G. Mohay, A. Clark, Digital Investigation 2006:3S
• Formalizing Event Time Bouding in Digital Investigation, by P. Gladyshev, A. Patel, International Journal of Digital Evidence, vol 4:2, 2005
• Time and Date issues in forensic computing - a case study, by C. Boyd, P. Forster, Digital Investigation 2004:1
• Unification of relative time frames for digital forensics, by M.W. Stevens, Digital Investigation 2004:1
• Dynamic Time & Date Stamp Analysis, M .C. Weil, International Journal of Digital Evidence, vol 1:2, 2002

Visualization

• ThemeRiver: In Search of Trends, Patterns, and Relationships, by Susan Havre, Beth Hetzler, and Lucy Nowell, Battelle Pacific Northwest Division, Richland, Washington, 1999
• Visualizing gaps in time-based lists, by Moritz Stefaner, November 6, 2000

Tools

• log2timeline - An artifact timeline creation and analysis framework. Log2timeline has been superseded by Plaso.
• Plaso - (Plaso Langar Að Safna Öllu), or super timeline all the things, is a Python-based engine used by several tools for automatic creation of timelines. Plaso default behavior is to create super timelines but it also supports creating more targeted timelines.
• Simile Timeline and Timeplot sorter - The Sleuth Kit's mactime sorting program.
• TimeFlow - Visual timelines for investigation - source freely available
• Timesketch - tool for collaborative forensic timeline analysis
• Zeitline - Forensic timeline editor