Forensic timeline analysis creates a chronological sequence of events across multiple sources — correlating file timestamps, log entries, registry modifications, and network captures to reconstruct the attack.
Timelines reveal: initial access time, dwell time, when persistence was established, when lateral movement occurred, when exfiltration happened. Tools: Plaso (log2timeline) automates timeline creation from multiple sources. Critical: all timestamps must be in UTC for correlation. Attackers use timestomping to manipulate file timestamps — cross-verify with other log sources.