Timeline Forensics on Windows: Plaso, Log2Timeline and KAPE in Practice

Three in the morning, an incident call, and all you have is a Windows 11 VDI with suspected payload execution at 22:47 the day before. No real EDR, no SIEM aggregating logs, just the live machine and forty minutes to deliver a hypothesis. That is the scenario where timeline forensics stops being an academic exercise and becomes the difference between saying 'the attacker used rundll32 loading a DLL from %AppData%\Roaming\winlog at 22:47:13' and shrugging. The lab I build in this post replicates that pressure on an isolated Windows 11 inside VMware Workstation, with clean snapshot, simulated post-infection snapshot, and a controlled detonator.

The stack I use is simple and repeatable: Eric Zimmerman's KAPE for triage collection (Targets like !SANS_Triage take under three minutes), Plaso 20240308 running inside an Ubuntu 24.04 container with 16 GB of dedicated RAM, plus Timeline Explorer and Timesketch for navigation. The default flow is snapshot, detonate sample (I use inert variants generated in the lab described at Malware Analysis in an Isolated Lab: Safe Setup with FlareVM and REMnux), collect with KAPE to a VHDX, mount read-only on the analysis host, and fire log2timeline.py against the mount point. On modest hardware, an 80 GB disk with 18 GB used produces a plaso storage of ~1.2 GB in around 22 minutes.

The gold is not in running the tool, it is in knowing how to filter. A raw Plaso super-timeline easily returns 8 million events when you enable parsers like winreg, prefetch, mft, usnjrnl, evtx, srum, amcache, shimcache and bam. I always start by slicing a +-30 minute window around the known indicator with psort.py -o l2tcsv --slice '2026-01-14T22:47:13' --slice_size 30. That cut reduces to about 14 thousand lines, then I filter by MFT, EVTX and Registry sources and load Timeline Explorer with colorization by type. The hunting techniques I combine come straight from Hunting Living-off-the-Land Binaries on Windows with KQL and Threat Hunting with Sigma and Elastic: From Indicator to Detection Rule.

A concrete example from the last lab: the detonator was an LNK pointing to powershell.exe -enc, a pattern similar to the one studied in Simulated Initial Access: Macros, LNK and ISO in an Isolated Windows 11 Lab. The first lead did not come from EVTX, it came from Prefetch (POWERSHELL.EXE-7644F8E2.pf created at 22:47:09, four seconds before the execution logged in Security 4688), and from Amcache.hve showing the SHA1 hash of the satellite DLL that came in via BITS. UsnJrnl confirmed file creation at C:\Users\elias\AppData\Roaming\winlog\runner.dll at 22:46:58, with MFT $SI timestamp matching $FN, meaning no timestomping in this case. That cross of three independent artifacts is what validates the hypothesis; a single one lies easily.

People new to KAPE find the Targets and Modules model strange, but it is what makes collection defensible in a legal context. I keep a custom .tkape that adds PowerShell\Operational, WMI-Activity and TaskScheduler on top of the standard triage targets, plus a module that runs RECmd with Zimmerman's batch files to extract UserAssist, ShellBags, TypedPaths and the RunMRU set. That gives me a Triage\ directory ready for Plaso and a Modules\ directory with already-parsed CSVs. For an incident on an endpoint segmented behind a pivoting network (a scenario I cover in Pivoting with Chisel and Ligolo-ng: Segmented Networks in a Pentest Lab), KAPE runs locally and exports to an authenticated share, avoiding heavy traffic.

Three traps that cost hours if you do not know them. First: timezone. Plaso normalizes to UTC by default, but EVTX stores in UTC and Registry artifacts sometimes store in local time disguised as UTC. I always run with --timezone UTC and document the machine offset. Second: VSS. Volume Shadow Copies hide previous versions of NTUSER.DAT and can reveal persistence that was wiped; KAPE collects with --vss and Plaso processes with --vss-stores all. Third: noisy Windows EVTX parsers (Microsoft-Windows-Kernel-General generates millions of lines) must be pruned via --parsers '!winevtx_kernel_general' or you waste analysis. Related defensive techniques live in Windows Persistence: 10 Documented Techniques and Their Countermeasures.

To deliver the finding, I export the relevant slice to Timesketch (docker compose up, ingest the plaso storage directly), create a sketch with tags like execution, persistence, c2_beacon, and generate a report with the stories feature. That becomes direct input for Sigma rules feeding future detection, closing the loop described in Purple Team in Practice: Building a Red vs Blue Feedback Loop. Practical takeaway: do not try to read 8 million events. Anchor on a temporal IOC, slice a 30-minute window, cross at least three independent artifacts, and only then write the narrative. Timeline forensics is not about collecting everything, it is about making time testify against the wrong hypothesis.