Source: GitHub
Author: unknown
URL: https://github.com/acquiredsecurity/forensic-timeliner
# ONE SENTENCE SUMMARY:
Forensic Timeliner is a PowerShell tool that consolidates and formats forensic data into a sortable, analyzable master timeline.
# MAIN POINTS:
1. Aggregates data from Chainsaw, KAPE/EZTools, and WebHistoryView into a unified timeline.
2. Normalizes artifact data fields for consistent formatting across different sources.
3. Supports output in CSV, JSON, and XLSX formats with optional color-coded Excel macro.
4. Offers interactive and batch modes for ease of use and scalability.
5. Filters MFT and event logs using customizable criteria to prioritize relevant data.
6. Deduplicates timeline entries and supports filtering by date range.
7. Categorizes web activity into search, download, file access, and general browsing.
8. Uses StreamReader to handle large datasets efficiently by processing in 10,000-line batches.
9. Exports include detailed metadata like file size, SHA1, user, computer, and command line.
10. Fully customizable via parameters or script modification for tailored forensic workflows.
# TAKEAWAYS:
1. Simplifies forensic triage by unifying outputs from multiple tools into a single timeline.
2. Highly customizable filtering and mapping improve data relevance and clarity.
3. Interactive mode enables quick setup for new investigations.
4. Supports large-scale processing with batch mode and efficient file reading.
5. Designed specifically for forensic analysts leveraging the SANS KAPE standard.