GCFA, Super Timeline

ldavisdtsldavisdts Member Posts: 12 ■■■□□□□□□□

Where can I find learning material to better understand the super timeline? I need to understand what I'm looking at. 


  • quogue66quogue66 Member Posts: 193 ■■■■□□□□□□
    Google and the FOR508 course are both great places to start
  • LonerVampLonerVamp Member Posts: 518 ■■■■■■■■□□
    If you're taking FOR508 or sitting for the GCFA, what you're asking for is one of those areas that isn't necessarily taught in those materials. Knowing the answers on what to look for comes from a combination of knowledge and experience in dealing with systems troubleshooting, attacking systems, and incident response. You're looking for things that aren't normal. Things that show you when an attacker first contacted a system. When malware first dropped a file or executed something on that system. You're typically also looking not just for execution, but also for evidence of persistence (which means you know many of the places to look where malware can persist and re-execute, right?).

    For the most part, you're often looking for just one bit of information, like where did an infection begin? What was the initial vector? At what time did the attack begin? From there, you can look for either specific IP addresses, specific files, files types, or hunting around a particular date/time to see what else may have happened near that event you've found. And each new thing you find gives you more things to search for, new times to look around, and maybe even new systems involved where you get to start this whole process over again...only with more times, dates, file names, and clues to seed your searching!

    Honestly, much of the above comes from experience and a broad knowledge base.

    Hopefully that was the nature of your question. :) If not, the super timeline is just a bigger timeline that takes lots of various logs and pieces of data and normalizes them into a single table ordered by a timestamp. That way instead of looking at 20 different logs of different formats, you can have a big one to perform queries against.

    Security Engineer/Analyst/Geek, Red & Blue Teams
    OSCP, GCFA, GWAPT, CISSP, OSWP, AWS SA-A, AWS Security, Sec+, Linux+, CCNA Cyber Ops, CCSK
    2021 goals: maybe AWAE or SLAE, bunch o' courses and red team labs?
  • ldavisdtsldavisdts Member Posts: 12 ■■■□□□□□□□
    Thank you for your response! I guess I do not need to overthink what they are asking in the question around the super timeline. One of the questions ask what happened to a excel file. It appeared to be deleted and recovered but I'm not 100% sure of what I was actually looking at. 
Sign In or Register to comment.