Forensic-Timeliner – Windows Forensic Tool for DFIR Investigators

Forensic-Timeliner, a Windows forensic tool for DFIR investigators, has released version 2.2, which offers enhanced automation and improved artifact support for digital forensics and incident response operations.

This high-speed processing engine consolidates CSV output from leading triage utilities into a unified timeline, empowering analysts to reconstruct event sequences and identify key indicators of compromise rapidly.

Automated Timeline Construction

Developed by Acquired Security, the tool’s core capability lies in its ability to discover and parse CSV artifacts generated by EZ Tools, KAPE, Axiom, Chainsaw, Hayabusa, and Nirsoft. Analysts simply point the tool at a base directory:

Interactive Menu

The engine applies YAML-driven filters defined in config/keywords/keywords.yaml, automatically detecting files by name, folder, or header patterns. New interactive enhancements in v2.2 include:

• Silent mode (–Silent) to suppress prompts and banners, facilitating headless execution in automated workflows.
• Filter previews rendered as Spectre.Console tables, allowing live validation of MFT timestamp filters, event-log channel/provider rules, and keyword tagger configurations.
• Keyword tagging support for Timeline Explorer (.tle_sess): tagged events are grouped by user-defined keyword sets, simplifying pivoting in downstream analysis.

These tool features reduce manual effort and ensure repeatable, auditable processing across large-scale collections. Beyond basic timeline collation, Forensic-Timeliner offers advanced enrichment and export options.

Date filtering (–StartDate, –EndDate) and deduplication (–Deduplicate) to tailor timelines to the incident’s window of interest.

Raw data inclusion (–IncludeRawData) for forensic provenance, embedding original CSV rows in the output for forensic validation.

Configurable parsers via YAML definitions, mapping artifact CSV fields to a standard timeline schema:

DateTime | TimestampInfo | ArtifactName | Tool | Description | DataDetails | DataPath | FileExtension | EventId | User | Computer | FileSize | IPAddress | SHA1 | Count | EvidencePath.

The tool’s RFC-4180-compliant CSV output ensures seamless compatibility with Excel, Timeline Explorer, and other forensic review platforms. Analysts can also export in JSON or JSONL formats for integration with SIEMs and log management systems.

Customizable YAML parameters allow exclusion of undesired MFT extensions (default: .exe, .ps1, .zip, etc.) and path filters (default: Users), while built-in event-log filters restrict noise by channel and provider IDs.

Forensic-Timeliner v2.2’s mix of interactive setup, automated discovery, and keyword-driven enrichment positions it as an indispensable tool for DFIR investigators seeking speed, precision, and consistency in constructing Windows forensic timelines.

Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.