{"id":28092612,"url":"https://github.com/acquiredsecurity/forensic-timeliner","last_synced_at":"2026-02-26T18:42:10.015Z","repository":{"id":283407052,"uuid":"951667861","full_name":"acquiredsecurity/forensic-timeliner","owner":"acquiredsecurity","description":"A high-speed forensic timeline engine for Windows forensic artifact CSV output built for DFIR investigators. Quickly consolidate CSV output from processed triage evidence for Eric Zimmerman (EZ Tools) Kape, Axiom, Hayabusa, Chainsaw and Nirsoft into a unified timeline.","archived":false,"fork":false,"pushed_at":"2026-02-26T05:00:55.000Z","size":52970,"stargazers_count":307,"open_issues_count":5,"forks_count":34,"subscribers_count":4,"default_branch":"main","last_synced_at":"2026-02-26T08:00:21.925Z","etag":null,"topics":["axiom","chainsaw","digital-forensic-tool","digital-forensics-incident-response","ez-tools","forensic-analysis","forensic-timeline","forensics-investigations","forensics-tools","hayabusa","nirsoft","timelines","yaml"],"latest_commit_sha":null,"homepage":"","language":"C#","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"other","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/acquiredsecurity.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2025-03-20T03:47:53.000Z","updated_at":"2026-02-26T05:00:58.000Z","dependencies_parsed_at":"2025-05-13T13:39:52.847Z","dependency_job_id":"8d3ff5d5-94d2-4045-9991-94e1380ca9e5","html_url":"https://github.com/acquiredsecurity/forensic-timeliner","commit_stats":null,"previous_names":["acquiredsecurity/chainsaw-forensic-timeliner","acquiredsecurity/forensic-timeliner","acquiredsecurity/forensic-timeliner-python"],"tags_count":7,"template":false,"template_full_name":null,"purl":"pkg:github/acquiredsecurity/forensic-timeliner","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/acquiredsecurity%2Fforensic-timeliner","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/acquiredsecurity%2Fforensic-timeliner/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/acquiredsecurity%2Fforensic-timeliner/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/acquiredsecurity%2Fforensic-timeliner/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/acquiredsecurity","download_url":"https://codeload.github.com/acquiredsecurity/forensic-timeliner/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/acquiredsecurity%2Fforensic-timeliner/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":29867632,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-02-26T18:27:06.972Z","status":"ssl_error","status_checked_at":"2026-02-26T18:26:57.848Z","response_time":89,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.6:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["axiom","chainsaw","digital-forensic-tool","digital-forensics-incident-response","ez-tools","forensic-analysis","forensic-timeline","forensics-investigations","forensics-tools","hayabusa","nirsoft","timelines","yaml"],"created_at":"2025-05-13T13:22:54.415Z","updated_at":"2026-02-26T18:42:10.002Z","avatar_url":"https://github.com/acquiredsecurity.png","language":"C#","readme":"\n\u003cdiv align=\"center\"\u003e\n\n\u003cimg src=\"https://github.com/user-attachments/assets/9505c070-c5b3-4b19-bc4f-ebeb0c28cad1\" width=\"600\"\u003e\n\u003c/div\u003e\n\n\n\u003e A high-speed forensic processing engine built for DFIR investigators. Quickly consolidate CSV output from top-tier triage tools into a unified mini timeline with built-in filtering, artifact detection, date filtering, keyword tagging, and deduplication.\n\n![Version](https://img.shields.io/badge/version-v2.3-blue?style=for-the-badge)\n![Downloads](https://img.shields.io/github/downloads/acquiredsecurity/forensic-timeliner/total?style=for-the-badge)\n![Stars](https://img.shields.io/github/stars/acquiredsecurity/forensic-timeliner?style=for-the-badge)\n![Contributors](https://img.shields.io/github/contributors/acquiredsecurity/forensic-timeliner?style=for-the-badge)\n![Maintained](https://img.shields.io/badge/Maintenance-Actively--Developed-brightgreen?style=for-the-badge)\n![C#](https://img.shields.io/badge/C%23-239120.svg?style=for-the-badge\u0026logo=c-sharp\u0026logoColor=white)\n![.NET 9](https://img.shields.io/badge/.NET_9-512BD4?style=for-the-badge\u0026logo=dotnet\u0026logoColor=white)\n\n---\n\n## Release\n## Forensic Timeliner v2.3 โ€“ Release Notes\n\n### New Features\n\n- **Cross-Platform Browser History Parsing**\n - New `ForensicWebHistoryParser` โ€” parses live browser history CSV from [forensic-webhistory](https://github.com/AcquiredSec/forensic-webhistory) (Rust tool)\n - Supports Chrome, Firefox, Safari, Brave, Edge, Opera, Vivaldi, and Arc\n - Activity detection: Search queries, Downloads, and File Open events automatically enriched in description\n - Header validation to distinguish from other CSV formats\n\n- **Recovered Browser History Support**\n - New `ForensicWebHistoryCarvedParser` โ€” parses recovered/deleted browser entries\n - Handles carved SQLite database rows with reduced column set\n - Identifies recovery source (e.g., \"Carved from WAL\", \"Carved from Journal\")\n\n- **Core Library Refactoring**\n - Extracted all parsers, models, utilities, and interfaces into `ForensicTimeliner.Core` class library\n - Enables reuse by the web platform without code duplication\n - All existing parsers (EZ Tools, Hayabusa, Chainsaw, Nirsoft, Axiom) moved to Core\n\n### Bug Fixes\n\n- Fixed date filtering display โ€” `RowsFilteredByDate` was incorrectly calculated when no date filtering was applied, showing all rows as \"filtered\"\n- Fixed deduplication counter initialization (`RowCountAfterDedup`)\n\n### Other Changes\n\n- License updated to CC BY-NC 4.0\n- Added `--NoPrompt` flag for scripting and automation pipelines\n\n---\n\n---\n\n**Table of Contents**\n* [Main Features](#main-features)\n* [Quick Start](#quick-start)\n* [Downloads](#downloads)\n* [Screenshots](#screenshots)\n* [Command Line Arguments](#command-line-arguments)\n* [Timeline Output](#timeline-output-field-structure)\n* [Yaml Config](#yaml-config)\n* [Tool Documentation](#-tool-output-processing-documentation)\n* [Usage Guide](Docs/UsageGuide.md)\n* [Artifact and Output Support Table](#artifact-and-output-support-table)\n* [License](#license)\n\n---\n\n## Main Features\n\n- Combine csv output from\n - EZ Tools / Kape\n - Axiom\n - Chainsaw\n - Hayabusa\n - Nirsoft\n - forensic-webhistory (cross-platform browser history)\n - output data into a unified timeline\n\n- Automatic CSV discovery from triage directories (all configurable) with YAML\n - Yaml files already use default namings for tools with default output\n - For tools like Hayabusa where you can set the file output name you should name the file some variaition of Hayabusa.csv and put it in a folder named Hayabusa \n - Simply provide the base directory of where the triage output lives and the tool will attempt to discover the csv files based on\n - File Name\n - Folder Name\n - File Headers\n - For Event Logs Channel\\Provider Filters\n - For MFT File Extension and Path Filters\n\n\n\n- Timeline enrichment with with keyword tagging for use with Timeline Explorer. Automatically create a TLE session file based on keyword searching for CSV output.\n\n- RFC-4180-compliant export for compatibility with tools like Timeline Explorer\n\n- Date filtering and deduplication controls\n\n- Interactive Setup and Yaml Discovery Preview\n\n---\n\n## Quick Start\n\nTL;DR!\nGet some Kape/EZ Forensic Output\n\nDownload the exe and run: \n\n```powershell, cmd\nForensicTimeliner.exe --Interactive\n```\n\n```powershell, cmd\nForensicTimeliner.exe --BaseDir C:\\triage\\hostname --ALL --OutputFile C:\\timeline.csv\n```\n\n```\n.\\ForensicTimeliner.exe --ProcessEZ --BaseDir \"C:\\Users\\admin0x\\Desktop\\sample_data\\host_t800\" --OutputFile \"C:\\Users\\admin0x\\Desktop\\test\" --ExportFormat csv --EnableTagger\n```\n- Open TLE Session file from your output directory. If you move the file you need to updste the session file path.\n\n- Use default naming for your csv files and make sure they are inside the base directory you set. There is a fallback to auto discover csv files based on file headers, or adjust the filename in the YAML settings.\n\n- Use the --EnableTagger feature view command line to build a Timeline Explorer session file based on keyword tagging. Adjust keywords in config\\keywords\\keywords.yaml\n \n\n---\n## Downloads\n\nLatest Release: [ v2.3](https://github.com/acquiredsecurity/forensic-timeliner/releases/tag/v2.3)\n\nDownload sample data for testing purposes here.\n\n[Sample Data](https://drive.google.com/file/d/1dplyT1Rf1gIYkItAeKlbWKAKgR91uFK-/view?usp=sharing)\n\n\n---\n\n## Screenshots\n\nInteractive Menu\n\n\u003cimg width=\"472\" alt=\"image\" src=\"https://github.com/user-attachments/assets/5548a452-4d07-4325-ac1f-03155a0f5714\" /\u003e\n\nTimeline Explorer Support\n\u003cimg width=\"1434\" alt=\"image\" src=\"https://github.com/user-attachments/assets/5ccc7b6d-9eb4-4a66-9ced-66efb483c06d\" /\u003e\n\n- Auto coloring applied in TLE with latest plugin files\n- Automatically Build a TLE Session File with tagged rows based on keywords\n - Edit the Keywords config file and add your keywords\n - Run ForensicTimeliner.exe from the command line using the --EnableTagger flag\n---\n\n\n\n## Command Line Arguments\n\n| Argument | Type | Default | Description |\n|------------------------|--------------|-------------------|-----------------------------------------------------------------------------|\n| `--BaseDir` | `string` | `C:\\triage` | Root directory to recursively search for supported artifact CSVs |\n| `--OutputFile` | `string` | `\"timeline.csv\"` | Output file or folder for exported timeline |\n| `--ExportFormat` | `string` | `csv` | Export format: `csv`, `json`, or `jsonl` |\n| `--StartDate` | `datetime` | `null` | Filter: only include rows after this date |\n| `--EndDate` | `datetime` | `null` | Filter: only include rows before this date |\n| `--Deduplicate` / `-d` | `bool` | `false` | Remove duplicate timeline rows after export |\n| `--EnableTagger` | `bool` | `false` | Enables keyword-based tagging via `config/keywords/keywords.yaml` |\n| `--IncludeRawData` | `bool` | `false` | Adds a `RawData` column for unmodified source row contents (if available) experimental |\n| `--NoBanner` | `bool` | `false` | Skip printing the banner/logo at start |\n| `--NoPrompt` | `bool` | `false` | Bypass prompts to run with a script or for automation pipeline |\n| `--Help` / `-h` | `bool` | `false` | Show help and usage information |\n| `--ALL` / `-a` | `bool` | `false` | Process all tools listed below (based on discovery) |\n| `--Interactive` / `-i` | `bool` | `false` | Launch an interactive CLI to build a custom command |\n| `--ProcessEZ` | `bool` | `false` | Enable EZ Tools artifact parsing |\n| `--ProcessAxiom` | `bool` | `false` | Enable Axiom artifact parsing |\n| `--ProcessChainsaw` | `bool` | `false` | Enable Chainsaw artifact parsing |\n| `--ProcessHayabusa` | `bool` | `false` | Enable Hayabusa artifact parsing |\n| `--ProcessNirsoft` | `bool` | `false` | Enable Nirsoft artifact parsing |\n| `--ProcessBrowserHistory` | `bool` | `false` | Enable cross-platform browser history parsing (forensic-webhistory) |\n\n---\n\n## Timeline Output Field Structure\n\n๐Ÿงพ Timeline Output Field Structure\nAll output is exported as RFC-4180-compliant CSV and ready for review in Timeline Explorer, Excel, or other forensic tools.\n\nEach timeline entry includes the following fields:\n```\nDateTime,TimestampInfo,ArtifactName,Tool,Description,DataDetails,DataPath,FileExtension,EventId,User,Computer,FileSize,IPAddress,SourceAddress,DestinationAddress,SHA1,Count,EvidencePath\n```\n\n## YAML Config\n\nTimeline parsers can be customized using per-artifact YAML definitions. These control:\n\n- Artifact discovery (`filename_patterns`, `foldername_patterns`, etc.)\n- Filtering (`event_channel_filters`, `provider_filters`, `paths`, `extensions`)\n- Timestamp mapping (`timestamp_fields`) ** MFT Only\n- Optional overrides (`ignore_filters`) ** MFT \u0026 Event Logs\n - Set ignore_filters: true to skip all filters for MFT and Event Logs. \n\n---\n\n## ๐Ÿ“š Tool Output Processing Documentation\n\nDetailed documentation for each supported tool showing how artifacts are parsed and mapped to the unified timeline format:\n\n### Supported Tools\n* **[EZ Tools](Docs/EZTools.md)** - Comprehensive Windows artifact analysis (Activity Timeline, Amcache, AppCompatCache, Event Logs, JumpLists, LNK Files, MFT, Prefetch, Registry, Shellbags, UserAssist, and more)\n* **[Hayabusa](Docs/Hayabusa.md)** - Sigma-based Windows event log analysis and threat hunting\n* **[Chainsaw](Docs/Chainsaw.md)** - MITRE ATT\u0026CK focused event log analysis (Account Tampering, Credential Access, Lateral Movement, Persistence, PowerShell, and more)\n* **[Axiom](Docs/Axiom.md)** - Magnet Forensics comprehensive artifact extraction (Web History, Prefetch, Registry, File System, and more)\n* **[Nirsoft](Docs/Nirsoft.md)** - Cross-browser history analysis and Windows utility artifacts\n* **Browser History (forensic-webhistory)** - Cross-platform browser history extraction with SQLite carving for Chrome, Firefox, Safari, Brave, Edge, Opera, Vivaldi, and Arc\n\nEach documentation page includes:\n- **Field Mapping Tables** - How source CSV fields map to timeline format\n- **Special Behaviors** - Unique processing logic and features\n- **Expected CSV Format** - Required input format and structure\n- **Integration Notes** - Tips for optimal usage and file organization\n\n---\n\n## Event Log Filters\n\nDefine EventChannelFilters per channel in your YAML configuration as seen below. Spport for [] to include an entire event log as needed.\n\n```\nevent_channel_filters:\n Application: []\n Microsoft-Windows-PowerShell/Operational: [4100, 4103, 4104]\n Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Operational: [72, 98, 104, 131, 140]\n Microsoft-Windows-TerminalServices-LocalSessionManager/Operational: [21, 22]\n Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational: [261, 1149]\n Microsoft-Windows-TaskScheduler/Operational: [106, 140, 141, 129, 200, 201]\n Microsoft-Windows-WinRM/Operational: [169]\n SentinelOne/Operational: [1, 31, 55, 57, 67, 68, 77, 81, 93, 97, 100, 101, 104, 110]\n Security: [1102, 4624, 4625, 4648, 4698, 4702, 4720, 4722, 4723, 4724, 4725, 4726, 4732, 4756]\n System: [7045]\n\nprovider_filters:\n edgeupdate: [0]\n SentinelHelperService: [0]\n brave: [0]\n Edge: [256]\n SentinelOne: [1, 31, 55, 57, 67, 68, 77, 81] \n```\n\nMFT Processing and Filtering\nMFT parsing includes automatic timestamp normalization and extension/path filtering.\n\nBy default, only Created0x10 timestamps are included to focus on file creation events and limit the overall timeline size\n\nDefault filters:\n```\nDEFAULT_EXTENSIONS = [\".identifier\", \".exe\", \".ps1\", \".zip\", \".rar\", \".7z\"]\nDEFAULT_PATHS = [\"Users\"]\n``` \n \n\n---\n\n\n## Artifact and Output Support Table\n\n| Artifact | Supported Tool(s) | Example Filename(s) |\n|---------------------------|--------------------------|----------------------------------------------------------------------|\n| Amcache | EZ Tools, Axiom | UnAssociatedFileEntries.csv, AssociatedFileEntries.csv, AmCache File Entries.csv |\n| AppCompatCache | EZ Tools, Axiom | AppCompatCache.csv, Shim Cache.csv |\n| AutoRuns | Axiom | Autorun Items.csv |\n| Chrome History | Axiom | Chrome Web History.csv |\n| Deleted Files | EZ Tools | RBCmd_Output.csv |\n| Edge History | Axiom | Edge Web Visits.csv, Edge Web History.csv |\n| Event Logs | EZ Tools, Axiom | _EvtxECmd_Output.csv, Windows Event Logs.csv |\n| Firefox History | Axiom | Firefox Web Visits.csv |\n| IE History | Axiom | Edge-Internet Explorer 10-11 Main History.csv |\n| JumpLists | EZ Tools, Axiom | AutomaticDestinations.csv, Jump Lists.csv |\n| LNK Files | EZ Tools, Axiom | _LECmd_Output.csv, LNK Files.csv |\n| MFT | EZ Tools, Chainsaw | _MFTECmd_$MFT_Output.csv, mft.csv |\n| MRU Folder Access | Axiom | MRU Folder Access.csv |\n| MRU Opened/Saved Files | Axiom | MRU Opened-Saved Files.csv |\n| MRU Recent Files \u0026 Folders| Axiom | MRU Recent Files \u0026 Folders.csv |\n| Opera History | Axiom | Opera Web Visits.csv |\n| Persistence | Chainsaw | persistence.csv |\n| Prefetch | EZ Tools, Axiom | _PECmd_Output.csv, Prefetch Files - Windows 8-10-11.csv |\n| PowerShell Execution | Chainsaw | powershell.csv, powershell_script.csv |\n| RDP Events | Chainsaw | rdp_events.csv |\n| Recycle Bin | Axiom | Recycle Bin.csv |\n| Registry | EZ Tools | _RECmd_Batch_Kroll_Batch_Output.csv |\n| Service Installation | Chainsaw | service_installation.csv |\n| Service Tampering | Chainsaw | service_tampering.csv |\n| Shellbags | EZ Tools, Axiom | _UsrClass.csv, Shellbags.csv |\n| Sigma Rule Matches | Chainsaw | sigma.csv |\n| UserAssist | EZ Tools, Axiom | UserAssist.csv |\n| TypedUrls | EZ Tools | *__TypedURLS__NTUSER.CSV |\n| Threat Events (Chainsaw) | Chainsaw | account_tampering.csv, defense_evasion.csv, credential_access.csv |\n| Web Browsing History | Nirsoft, Axiom, forensic-webhistory | WebResults.csv, Chrome/Firefox/Edge History.csv, forensic_webhistory*.csv |\n| Carved Browser History | forensic-webhistory | forensic_webhistory_carved*.csv |\n| VPN / RAS Logs | Chainsaw | microsoft_rasvpn_events.csv, microsoft_rds_events.csv |\n| Login Attacks | Chainsaw | login_attacks.csv |\n| Log Tampering | Chainsaw | log_tampering.csv |\n| Antivirus Detections | Chainsaw | antivirus.csv |\n| Applocker Events | Chainsaw | applocker.csv |\n| Indicator Removal | Chainsaw | indicator_removal.csv |\n| Lateral Movement | Chainsaw | lateral_movement.csv |\n\n\n\n---\n\n## License\n\nCreative Commons Attribution-NonCommercial 4.0 International (CC BY-NC 4.0)\n\n---\n\n","funding_links":[],"categories":[],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Facquiredsecurity%2Fforensic-timeliner","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Facquiredsecurity%2Fforensic-timeliner","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Facquiredsecurity%2Fforensic-timeliner/lists"}