Semantic modeling of heterogeneous, unstructured security event timelines in Digital Forensics and Incident Response (DFIR) remains challenging due to fragmented multi-source logs, alerts, and behavioral data lacking temporal and semantic alignment. Method: This paper proposes a zero-shot large language model (LLaMA 3.1 8B) tightly integrated with retrieval-augmented generation (RAG), underpinned by an event knowledge graph that semantically aligns timestamps and metadata across diverse data sources. The framework enables natural-language-prompted timeline reconstruction and anomaly correlation reasoning without fine-tuning or labeled data. Contribution/Results: To our knowledge, this is the first work to synergistically combine zero-shot LLMs and RAG for DFIR timeline analysis—overcoming the semantic limitations of rule- or log-based approaches. Evaluated on a synthetic dataset, it achieves significant improvements in event association accuracy and temporal consistency, establishing a novel paradigm for automated threat hunting and real-time incident response.

Cyber timeline analysis, or forensic timeline analysis, is crucial in Digital Forensics and Incident Response (DFIR). It examines artefacts and events particularly timestamps and metadata to detect anomalies, establish correlations, and reconstruct incident timelines. Traditional methods rely on structured artefacts, such as logs and filesystem metadata, using specialised tools for evidence identification and feature extraction. This paper introduces GenDFIR, a framework leveraging large language models (LLMs), specifically Llama 3.1 8B in zero shot mode, integrated with a Retrieval-Augmented Generation (RAG) agent. Incident data is preprocessed into a structured knowledge base, enabling the RAG agent to retrieve relevant events based on user prompts. The LLM interprets this context, offering semantic enrichment. Tested on synthetic data in a controlled environment, results demonstrate GenDFIR's reliability and robustness, showcasing LLMs potential to automate timeline analysis and advance threat detection.