Beyond the Surface: Why Your Forensic Timeline is Lying to You

TLDR: Digital forensics is rarely a linear path from evidence collection to a smoking gun. This talk deconstructs a homicide investigation to show how investigators must correlate disparate data sources like SMS logs, file system artifacts, and physical security footage to build a reliable narrative. Pentesters and researchers should take note: understanding how these timelines are constructed is the best way to learn how to effectively obfuscate your own tracks during an engagement.

Forensic investigations are often portrayed in media as rapid-fire sequences where a single piece of evidence, like a fingerprint or a DNA sample, cracks the case in thirty minutes. In reality, the process is a slow, methodical grind of data collection, normalization, and correlation. If you are a researcher or a pentester, you need to understand this process not just for defensive purposes, but to recognize the digital breadcrumbs you leave behind. When you move through a system, you are creating a timeline that a skilled investigator will eventually attempt to reconstruct.

The Mechanics of a Forensic Investigation

Every investigation begins with scoping. You cannot analyze everything, and attempting to do so is a recipe for failure. Scoping defines the boundaries of the investigation, identifying which devices, logs, and data sources are relevant to the incident. In the case of a digital homicide, this means identifying the victim's devices, such as a laptop or a smartphone, and determining the timeframe of interest.

Once the scope is set, the next phase is data gathering. This is where the integrity of the evidence is paramount. Investigators use FTK Imager or similar tools to create forensic images of drives, ensuring that the original data remains untouched. The use of write blockers is non-negotiable here. If you are performing a live response or a post-mortem analysis, you must ensure that your tools do not modify the file system metadata, as this would invalidate the evidence in any legal or formal proceeding.

The Trap of Tunnel Vision

One of the most significant risks in any investigation is tunnel vision. It is easy to find a piece of evidence that supports your initial hypothesis and stop looking. For example, finding a suspect's fingerprint on a weapon might seem like the end of the story. However, a thorough investigation requires you to account for all evidence, including data that contradicts your theory.

In the case study presented, the initial assumption was that the primary suspect was the killer. However, the timeline analysis revealed a critical discrepancy: the suspect's digital activity occurred an hour after the estimated time of death. This is where UTC becomes your best friend. If you are working across different time zones, you must normalize all timestamps to a single reference point. Failing to do so will result in a fragmented, inaccurate timeline that makes it impossible to correlate events correctly.

Correlating Disparate Data Sources

Data correlation is the art of weaving together different threads of information to form a coherent narrative. You might have SMS logs from a phone, web history from a browser, and file system artifacts like Shellbags that track folder access. Each of these sources provides a different perspective on the user's activity.

When analyzing a system, look for indicators that point to specific user actions. For instance, if you find evidence of VeraCrypt being installed, you know that the user likely has encrypted volumes. You can then use tools like TC-Detective to confirm the presence of encrypted containers. If you find a file that appears to be a standard application but has a strange size or header, you are likely looking at an encrypted file or a hidden volume.

The Importance of Documentation

Documentation is the backbone of any forensic report. If you do not document your steps, you did not perform an investigation. This includes recording the tools used, the commands executed, and the rationale behind your findings. If you are using a tool like Autopsy, ensure that you are logging your analysis process.

For those of you performing penetration tests, consider how your actions appear in these logs. When you execute a command, you are leaving a trace in the system logs, the registry, or the file system. If you are not careful, you are providing the blue team with a perfect roadmap of your activities. The best way to improve your offensive tradecraft is to perform your own forensic analysis on the systems you have compromised.

What to Do Next

The next time you are on an engagement, take a step back and look at the system from the perspective of an investigator. What would you see if you were looking at the logs you just generated? Are you leaving unnecessary artifacts? Are your timestamps consistent? The ability to think like a forensic investigator is a force multiplier for any security professional.

If you want to dive deeper into the defensive side of these investigations, look into the OWASP Forensic Readiness documentation. It provides a solid framework for understanding how systems should be configured to support effective incident response. Remember that the goal is not just to find the vulnerability, but to understand the entire lifecycle of the attack. Keep testing, keep documenting, and keep refining your process.