Threat actors with substantial amounts of funding and technical knowledge prefer building malware that can be spread throughout the network persist itself through autorun configurations, local git hooks, registry configurations, and every other possible time based or logic-based trigger.
Artefacts generated by these malwares are usually found in multiple computers/IoT devices/mobile devices and effectively any other electronic device, the malware is compatible with.
On the flip side, investigators need to reconstruct the chain of events, which means manually going through multiple devices, finding timestamps and eventually plot a timeseries graph.
This workshop will delve into the development of a tool in Go programming language for automatically stitching together artefacts from heterogeneous sources and building a unified chain of events.
Attendees will leave with both conceptual understanding and practical code to extend in their own investigations.
Workshop Details
Modern threat actors don’t rely on a single persistence trick—they weaponize time. From autorun entries and scheduled tasks to registry-based triggers, local Git hooks, IoT callbacks, and logic-based execution chains, well-funded adversaries design malware that quietly propagates across heterogeneous environments and activates under specific temporal conditions.
These artefacts appear scattered across laptops, servers, mobile devices, and embedded systems, leaving investigators with the difficult task of reconstructing a coherent chain of infection.
This workshop tackles that challenge head-on.
Participants will learn how to automatically stitch together artefacts from multiple platforms and formats to build a unified forensic timeline—without depending on commercial suites or heavyweight time-series databases.
Using the Go programming language, attendees will implement a lightweight, cross-platform tool that parses timestamps, normalizes formats, correlates events, and visualizes the infection chain.
The session blends conceptual clarity with hands-on coding, enabling participants to walk away with a working prototype they can extend for real investigations.
Whether you’re a DFIR practitioner, malware analyst, or a Go beginner looking to apply the language to security tooling, this workshop provides a practical, vendor-neutral methodology for reconstructing complex infection chains at scale.
Learning Objectives
By the end of the workshop, participants will be able to:
- Understand why Go is well-suited for forensic tooling, including its concurrency model, static binaries, and cross-platform compilation.
- Identify persistence and propagation artefacts commonly left by malware across a distributed environment.
- Parse and normalize heterogeneous timestamp formats into a unified structure suitable for correlation.
- Construct a forensic timeline without relying on external time-series databases or commercial DFIR platforms.
- Apply the methodology to a simulated case study, reconstructing a complete chain of infection from raw artefacts.
Workshop Structure & Flow
- Kickoff & Motivation
Why timeline reconstruction is central to DFIR
How modern malware uses time-based and logic-based triggers
What makes infection chains difficult to reconstruct across heterogeneous devices
- Go for Forensics — Lightning Primer
Go essentials: syntax, modules, error handling, static binaries
Why Go is ideal for forensic tooling (cross-platform, fast, simple)
Coding: reading directories, parsing files, printing timestamps
- Infection Chain Fundamentals
Walkthrough of a simulated malware infection
Persistence + propagation artefacts (registry, autoruns, Git hooks, cron, launch agents, etc.)
Mapping artefacts to timeline-relevant events
- Timestamp Parsing & Normalization
Common timestamp formats across OSes
Normalizing into a unified structure
Sorting and correlating artefacts
Generating a simple timeline (CSV/JSON/ASCII graph)
- Real-World Caveats
Timezones
Clock skew
Missing or tampered timestamps
Anti-forensic behaviours that distort timelines
- Hands-On Case Study
Participants receive a folder of artefacts from a simulated multi-device infection.
They will:
Write small Go programs to parse artefacts
Normalize timestamps
Stitch events into a chronological chain
Produce a final annotated timeline
Wrap-Up & Q/A
Discussion of how to extend the tool
Ideas for integrating with existing DFIR workflows
Open questions and participant challenges
By Dr. Gaurav Gogia
