Back to Details

competition-forensic-timeline

Compare original and translation side by side

🇺🇸

Original

English
🇨🇳

Translation

Chinese

Competition Forensic Timeline

竞赛取证时间线

Use this skill only as a downstream specialization after 
$ctf-sandbox-orchestrator
is already active and has established sandbox assumptions, node ownership, and evidence priorities. If that has not happened yet, return to 
$ctf-sandbox-orchestrator
first.
Use this skill when the hard part is not finding one artifact, but turning many artifacts into one replayable chronology.
Reply in Simplified Chinese unless the user explicitly requests English.
仅当
$ctf-sandbox-orchestrator
已激活且已完成沙箱假设、节点归属和证据优先级设定后,才可将本技能作为下游专项技能使用。如果尚未完成上述设定,请先返回
$ctf-sandbox-orchestrator
当难点不在于查找单个制品,而在于将多个制品整合为可复现的时间序列时,使用本技能。
除非用户明确要求使用英文,否则请用简体中文回复。

Quick Start

快速开始

  1. Pick the smallest reliable anchor: first execution, first logon, first network session, first file write, or first mailbox action.
  2. Normalize timestamps, time zones, hostnames, users, process IDs, message IDs, and file paths before correlating.
  3. Build one minimal chain from foothold to persistence, execution, access, or exfiltration.
  4. Separate confirmed event order from inferred gaps.
  5. Reproduce the decisive timeline segment that yields the artifact or privilege conclusion.
  1. 选取最小可靠锚点:首次执行、首次登录、首次网络会话、首次文件写入或首次邮箱操作。
  2. 关联前先统一时间戳、时区、主机名、用户、进程ID、消息ID和文件路径的格式。
  3. 构建从立足点到持久化、执行、访问或数据渗出的最小链路。
  4. 将已确认的事件顺序与推断的空白段分开。
  5. 复现能产出制品或权限结论的关键时间线段。

Workflow

工作流

1. Establish Timeline Anchors

1. 确立时间线锚点

  • Collect only the active surfaces: EVTX, Sysmon, registry, Amcache, prefetch, browser artifacts, mail traces, PCAPs, memory, or filesystem metadata.
  • Record clock source, timezone, and any drift or truncation that could reorder events.
  • Link shared identifiers across sources: PID, logon ID, GUID, message ID, hostname, username, IP, or hash.
  • 仅收集活跃面数据:EVTX、Sysmon、注册表、Amcache、prefetch、浏览器制品、邮件轨迹、PCAP、内存或文件系统元数据。
  • 记录时钟源、时区,以及可能导致事件顺序错乱的时钟漂移或日志截断情况。
  • 关联跨源共享标识:PID、登录ID、GUID、消息ID、主机名、用户名、IP或哈希值。

2. Correlate The Execution Graph

2. 关联执行图

  • Track process tree, service or task creation, network sessions, file writes, registry changes, mailbox rules, or token use as one path.
  • Distinguish causal edges from coincidence by matching identifiers and adjacency, not just nearby timestamps.
  • Keep raw artifact and parsed summary side by side so every step can be traced back.
  • 将进程树、服务或任务创建、网络会话、文件写入、注册表变更、邮箱规则或令牌使用作为同一路径跟踪。
  • 通过匹配标识和邻接关系区分因果链路与巧合事件,而非仅依赖相近的时间戳。
  • 同时留存原始制品和解析摘要,确保每一步都可溯源。

3. Compress To The Decisive Story

3. 精简为关键事件线

  • Reduce the timeline to the smallest sequence that proves initial access, persistence, lateral movement, collection, or artifact recovery.
  • Call out missing validation steps separately instead of mixing them into confirmed chronology.
  • If the task becomes mainly about malware config extraction or a Windows pivot edge, switch to the tighter specialized skill.
  • 将时间线精简为能证明初始访问、持久化、横向移动、数据收集或制品恢复的最小序列。
  • 将缺失验证的步骤单独标注,不要混入已确认的时间线中。
  • 如果任务主要变为恶意软件配置提取或Windows枢纽节点分析,请切换到更针对性的专项技能。

Read This Reference

参考文档

  • Load 
    references/forensic-timeline.md
    for anchor selection, cross-source correlation, and evidence packaging.
  • If the hard part is packet reassembly, protocol framing, or transferred-object extraction from a capture, prefer 
    $competition-pcap-protocol
    .
  • 加载
    references/forensic-timeline.md
    查看锚点选择、跨源关联和证据打包相关内容。
  • 如果难点在于数据包重组、协议帧解析或从流量包中提取传输对象,请优先使用
    $competition-pcap-protocol

What To Preserve

需留存内容

  • Source file paths, event IDs, logon IDs, message IDs, PIDs, hashes, and timestamps with timezone noted
  • One compact timeline table or ordered list for the decisive segment
  • Raw artifacts, parsed output, and inferred edges kept separate
  • 源文件路径、事件ID、登录ID、消息ID、PID、哈希值,以及标注了时区的时间戳
  • 关键时段的紧凑时间线表格或有序列表
  • 原始制品、解析输出和推断链路分开留存