Timeline analysis is a highly valuable tool. However, like everything else in computer forensics, it requires a skilled investigator to examine all the data available in order to find the evidence and provide an accurate account of the events. When analyzing Windows systems, it is common to use key timestamps in forensics such as Creation Date, Last Modified Date, Last Accessed Date, and the Last Modified Date for the file’s Master File Table (MFT) entry. A key factor in using these timestamps is to not rely solely on a single timestamp, but use the combination of these timestamps in digital forensics. The combination of these timestamps can prove to be far more powerful and revealing than any single timestamp on its own. I will use an example to illustrate. A forensic investigator was reviewing volatile evidence collected during an investigation into suspicious system activity. In reviewing active file handles, the investigator found winlogon.exe accessing files named sdra64.exe, local.ds, and user.ds. These are solid indicators of compromise for a Zeus infection. The investigator began file system analysis to determine when and how this Trojan had compromised the system. By looking at a registry startup modification timestamp for the sdra64.exe, the investigator had a solid starting timestamp for when Zeus initially ran and a full path to the binary.

**Hidden Content: Check the thread to see hidden data.**