{"id":28479198,"url":"https://github.com/acquiredsecurity/shotliner","last_synced_at":"2025-08-25T06:06:47.595Z","repository":{"id":291320683,"uuid":"976951649","full_name":"acquiredsecurity/shotliner","owner":"acquiredsecurity","description":"??????","archived":false,"fork":false,"pushed_at":"2025-05-04T02:57:27.000Z","size":249,"stargazers_count":1,"open_issues_count":0,"forks_count":0,"subscribers_count":1,"default_branch":"main","last_synced_at":"2025-08-16T22:47:18.582Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"C#","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/acquiredsecurity.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2025-05-03T04:47:04.000Z","updated_at":"2025-05-22T17:42:36.000Z","dependencies_parsed_at":"2025-05-03T21:35:10.428Z","dependency_job_id":null,"html_url":"https://github.com/acquiredsecurity/shotliner","commit_stats":null,"previous_names":["acquiredsecurity/shotliner"],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/acquiredsecurity/shotliner","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/acquiredsecurity%2Fshotliner","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/acquiredsecurity%2Fshotliner/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/acquiredsecurity%2Fshotliner/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/acquiredsecurity%2Fshotliner/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/acquiredsecurity","download_url":"https://codeload.github.com/acquiredsecurity/shotliner/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/acquiredsecurity%2Fshotliner/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":272013537,"owners_count":24858474,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-08-25T02:00:12.092Z","response_time":1107,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2025-06-07T18:08:31.741Z","updated_at":"2025-08-25T06:06:47.587Z","avatar_url":"https://github.com/acquiredsecurity.png","language":"C#","funding_links":[],"categories":[],"sub_categories":[],"readme":"# shotliner\n\n\u003cimg width=\"475\" alt=\"image\" src=\"https://github.com/user-attachments/assets/a79e95e8-a996-47f5-a6a0-30ad36a19840\" /\u003e\n\n# Shotliner\n\n**Shotliner** is a malware forensic timeline diffing tool. Inspired by [Regshot](https://github.com/Seabreg/Regshot), it compares a clean baseline forensic timeline against a post-infection timeline to identify newly introduced artifact activity. Ideal for malware triage, reverse engineering, and forensic investigations. Always take a snapshot of your clean VM! Take a baseline collection and process your raw forensic artifacts with the tools below. Once you have a baseline you shouldn;t have take one again if you always revert to a clean snapshot on your analysis VM.\n\nTools you should use for triage collection and data processing supported by ForensicTimeliner\n- Kape/EZ tools \n- Axiom\n- Chainsaw\n- Hayabusa\n\n- Run [ForensicTimeliner](https://github.com/acquiredsecurity/forensic-timeliner) on the output from your processing tools and create a forensic timeline. Now you have a baseline of your VM for comparison to your output post Malware Execution!\n\nExecute your malware sample and let it run for the duration of your intended analysis and then take a second forensic artifact collection of the VM/Host. \nRerun your variaition of EZ Tools, Axiom, Chainsaw, Hayabusa and then again run ForensicTimeliner.\n\nNow you have TWO timelines one pre execution and one post execution. \nUse shotliner to run a dif between the two forensictimeliner outputs to more easily find malware based activities and elminate all the known behaviors from your timeline to quickly get to the bad!\n\n```sample commandline\n.\\shotliner.exe --Base C:\\Users\\admin0x\\Desktop\\shotliner\\test\\base\\20250502_235216_ForensicTimeliner.csv --New C:\\Users\\admin0x\\Desktop\\shotliner\\test\\infected\\20250502_235455_ForensicTimeliner.csv --Output diff.csv\n```\n| Argument   | Description                                  |\n| ---------- | -------------------------------------------- |\n| `--Base`   | Path to the clean baseline timeline CSV      |\n| `--New`    | Path to the infected/post-event timeline CSV |\n| `--Output` | (Optional) Custom output path for diff CSV   |\n| `--Help`   | Displays this help menu                      |\n\n---\n\n## Features\n\n- **Artifact Diffing**: Compares two CSV timeline exports from ForensicTimeliner and highlights only newly introduced rows.\n- **No Date-Based Filtering**: Diffing is performed on key behavioral fields, not timestamps.\n- **Modular Fields**: Supports standard ForensicTimeliner output headers.\n- **Portable \u0026 Lightweight**: Single EXE, no dependencies.\n- **CSV Output**: Generates a timestamped diff CSV in standard timeline format.\n\n---\n\n## Timeline Format\n\nShotliner expects timeline input files in the [ForensicTimeliner](https://github.com/acquiredsecurity/forensic-timeliner) format, which aggregates artifact data collected from:\n\n- [Eric Zimmerman's KAPE and EZ Tools](https://ericzimmerman.github.io/)\n- [Magnet Axiom](https://www.magnetforensics.com/)\n- [Chainsaw](https://github.com/WithSecureLabs/chainsaw)\n- [Hayabusa](https://github.com/Yamato-Security/hayabusa)\n\n```csv\nDateTime,TimestampInfo,ArtifactName,Tool,Description,DataDetails,DataPath,FileExtension,EventId,User,Computer,FileSize,IPAddress,SourceAddress,DestinationAddress,SHA1,Count,EvidencePath\n```\n\n\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Facquiredsecurity%2Fshotliner","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Facquiredsecurity%2Fshotliner","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Facquiredsecurity%2Fshotliner/lists"}