Forensic Timeliner is a high-performance forensic processing engine designed to support DFIR (Digital Forensics and Incident Response ) analysts in artifact triage and correlation. The tool allows you to quickly aggregate CSV files from major forensic tools, transforming them into a single, filterable timeline ready for investigative analysis.
With the release of version 2.2, maintained in C# on the .NET 9 platform, the project introduces a set of improvements aimed primarily at the interactive mode user experience. The CLI menu has been extended with new prompts that allow you to preview filter configurations applied to the most relevant artifacts, such as MFTs and Windows event logs.
For example, new prompts allow you to structuredly inspect filters on timestamps, paths, and MFT file extensions, as well as channel- and provider-based criteria for event logs.
Keyword tagging configurations, defined in keywords.yaml files, are now automatically displayed when using EZ Tools with the configuration files present.
Previews are rendered in rich tables via Spectre.Console.
Another significant new feature is the integration with Timeline Explorer. Forensic Timeliner introduces an interactive option for enabling keyword tagging, which allows for the automatic generation of a .tle_sessfile session file. Timeline rows are tagged based on user-defined keyword groups, with the ability to preview the groups before activation.
Functionally, the tool continues to support unifying CSV output from EZ Tools/Kape, Axiom, Chainsaw, Hayabusa, and Nirsoft . File discovery is automatic, starting from a base directory, using YAML-configurable criteria that include file names, folder names, and CSV headers. Tools like Hayabusa, which allow for custom output, require a consistent naming convention.
The generated timeline can be enriched with metadata and keyword tags, facilitating analysis within Timeline Explorer. Export is in RFC-4180 -compliant CSV format, ensuring compatibility with forensic tools and analysis environments such as Excel. Time filters, deduplication functions, and experimental options for including raw source row data are also available.
The program can be run either via the command line or through an interactive mode that guides the user through the construction of commands. Available options include selective processing of individual tools, automatic full analysis, tagging activation, and the definition of time windows. YAML configurations allow for granular control over artifact discovery, event log filtering, and MFT timestamp normalization.
Forensic Timeliner supports a wide range of artifacts, from Windows event logs and web browsing data to autorun files, security logs, and threat indicators.
Each integrated tool has dedicated documentation describing field mappings, parsing behaviors, and expected input formats. The project is distributed under the MIT License and is available in the latest version 2.2, accompanied by sample data for testing.
Follow us on Google News to receive daily updates on cybersecurity. Contact us if you would like to report news, insights or content for publication.
