InterviewStack.io LogoInterviewStack.io

Timeline Construction and Event Reconstruction Questions

Understand how to build event timelines from forensic artifacts: file system timestamps, log entries, application metadata, user activity records. Know how to identify relevant events, establish sequence, and construct coherent narratives. Understand timezone and timestamp issues. Know how timelines support investigative conclusions and legal proceedings.

EasyTechnical
54 practiced
As part of an automation task, write a Python 3 function named filetime_to_iso that takes a Windows FILETIME value (64-bit integer, representing 100-ns intervals since 1601-01-01) and returns an ISO 8601 UTC string (e.g., '2020-01-02T03:04:05Z'). Include handling for invalid or zero values and ensure the result is timezone-aware UTC.
MediumTechnical
45 practiced
Write a Python 3 function parse_timestamp(s: str) -> datetime that accepts three possible timestamp formats in forensic logs and returns a timezone-aware UTC datetime: (1) RFC3339 (e.g., '2021-06-01T12:00:00+02:00'), (2) Windows FILETIME as a decimal string, and (3) epoch milliseconds as digits. Describe edge cases and error handling you would implement for bulk parsing millions of values.
MediumSystem Design
59 practiced
You are asked to automate timeline collection across 100 endpoints (mix of Windows, macOS, Linux) for triage. Design a lightweight architecture covering collection agents, secure transport, central ingestion/normalization, storage, timeline construction, and role-based access. Include considerations for evidence integrity and chain-of-custody during automated collection.
HardSystem Design
49 practiced
Design an auditable timeline ingestion pipeline that cryptographically verifies each ingestion, normalization, and transformation step. Describe the manifest format, hashing strategy, signing and key management, storage choices (immutable/WORM), and how an investigator can demonstrate the provenance of any single event from raw source to final timeline entry.
MediumTechnical
41 practiced
Case: A web server access log contains malicious POSTs at 03:12:05 UTC. The web application log on the host records file writes at 03:12:06 local time, and the host is configured to UTC-5. The IDS shows the TCP connection at 02:12:04 UTC. Reconcile these timestamps and provide a plausible timeline of the attack, noting assumptions and checks you would perform to confirm the sequence.

Unlock Full Question Bank

Get access to hundreds of Timeline Construction and Event Reconstruction interview questions and detailed answers.

Sign in to Continue

Join thousands of developers preparing for their dream job.