Forensics Workshop: Quick, Easy, & Free Windows and Linux Timelines

[60 minutes] This workshop will be led by Dr. Phil Polstra, author of several definitive books on system forensics (Linux, Windows…)

An accurate system timeline is often a part of a forensic investigation.  Generating these timelines is often a painful and time consuming process.  It can takes hours to build a timeline, even with expensive software costing 10’s of thousands of dollars.  Once the timeline has been finally created, query and display options tend to be limited.

In this workshop you will learn how to make infinitely flexible timelines in mere minutes using 100% free and open source software.  Python will be used to quickly collect file metadata which is stored in a MySQL database. Some convenient scripts for generating various types of timelines from this data with be presented.  Timestamp updating rules will be discussed.

A laptop running a recent version of Linux with at least 20GB of free disk space (can be in virtual machine).  This machine should have Python 2 & 3 and MySQL installed.  For good performance at least 8 GB of RAM (16 If running a virtual machine) is recommended.