{"id":13597689,"url":"https://github.com/evild3ad/Get-MiniTimeline","last_synced_at":"2025-04-10T05:33:14.398Z","repository":{"id":202734847,"uuid":"223596794","full_name":"evild3ad/Get-MiniTimeline","owner":"evild3ad","description":"Get-MiniTimeline - Triage Collection and Timeline Generation w/ KAPE","archived":false,"fork":false,"pushed_at":"2024-05-25T07:18:54.000Z","size":34101,"stargazers_count":30,"open_issues_count":0,"forks_count":3,"subscribers_count":3,"default_branch":"master","last_synced_at":"2025-04-01T15:25:32.090Z","etag":null,"topics":["dfir","digital-forensics","incident-response","kape","powershell","timeline"],"latest_commit_sha":null,"homepage":"https://lethal-forensics.com","language":"PowerShell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/evild3ad.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2019-11-23T13:54:36.000Z","updated_at":"2025-03-27T15:55:12.000Z","dependencies_parsed_at":null,"dependency_job_id":"55089069-1dd6-4ada-80ab-52350bb62390","html_url":"https://github.com/evild3ad/Get-MiniTimeline","commit_stats":null,"previous_names":["evild3ad/get-minitimeline"],"tags_count":2,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/evild3ad%2FGet-MiniTimeline","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/evild3ad%2FGet-MiniTimeline/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/evild3ad%2FGet-MiniTimeline/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/evild3ad%2FGet-MiniTimeline/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/evild3ad","download_url":"https://codeload.github.com/evild3ad/Get-MiniTimeline/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":248163348,"owners_count":21057914,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["dfir","digital-forensics","incident-response","kape","powershell","timeline"],"created_at":"2024-08-01T17:00:39.194Z","updated_at":"2025-04-10T05:33:09.378Z","avatar_url":"https://github.com/evild3ad.png","language":"PowerShell","funding_links":[],"categories":["Tool-Related GitHub Repos"],"sub_categories":["KAPE"],"readme":"\u003cimg src=\"https://img.shields.io/badge/Language-Powershell-blue\"\u003e \u003cimg src=\"https://img.shields.io/badge/Maintenance%20Level-Actively%20Developed-brightgreen\"\u003e ![GitHub Release](https://img.shields.io/github/v/release/evild3ad/Get-MiniTimeline?label=Release) [![GitHub](https://img.shields.io/github/license/evild3ad/Get-MiniTimeline?style=flat\u0026label=License)](LICENSE) \u003ca href=\"https://www.linkedin.com/in/martin-willing-86343565/\"\u003e\u003cimg src=\"https://img.shields.io/badge/LinkedIn-evild3ad-0077B5.svg?logo=LinkedIn\"\u003e\u003c/a\u003e \u003ca href=\"https://twitter.com/Evild3ad79\"\u003e\u003cimg src=\"https://img.shields.io/twitter/follow/Evild3ad79?style=social\"\u003e\u003c/a\u003e\n\n# Get-MiniTimeline\nGet-MiniTimeline.ps1 is a PowerShell script utilized to collect several forensic artifacts from a mounted forensic disk image and auto-generate a beautified MiniTimeline from the data collected.\n\nForensic Artifacts:  \n* Master File Table ($MFT)  \n* Windows Event Logs  \n* Windows Registry  \n\n## Download\nDownload the latest version of **Get-MiniTimeline** from the [Releases](https://github.com/evild3ad/Get-MiniTimeline/releases) section.\n\n## Usage\n1. Mount your forensic disk image with e.g. drive letter `G:`  \nNote: When your forensic disk image has multiple partitions you may have to change the path to the Windows partition.   \n\n![Arsenal Image Mounter](https://github.com/evild3ad/Get-MiniTimeline/blob/9ea8d83e20d685dd14ebe3b6f646f0980579c223/Screenshots/01.png)\n**Fig 1:** Arsenal Image Mounter (AIM) \n\n2. Enter your drive letter in `Get-MiniTimeline.ps1`  \n`Input (Source)`  \n`$ROOT = \"G:\"`   \n\nOptional: You can also change the outpath path.  \n`$OUTPUT_FOLDER = \"$env:USERPROFILE\\Desktop\\MiniTimeline\\$ComputerName\"`\n\n3. Run Windows PowerShell console as Administrator.  \n\n```\nPS \u003e .\\Get-MiniTimeline.ps1 dateRange:MM/DD/YYYY-MM/DD/YYYY  \n```\n\n![PowerShell](https://github.com/evild3ad/Get-MiniTimeline/blob/9ea8d83e20d685dd14ebe3b6f646f0980579c223/Screenshots/02.png)  \n**Fig 2:** Running Get-MiniTimeline.ps1 (Example)  \n\n![MessageBox](https://github.com/evild3ad/Get-MiniTimeline/blob/9ea8d83e20d685dd14ebe3b6f646f0980579c223/Screenshots/03.png)  \n**Fig 3:** Message Box  \n\n![Colorized Excel](https://github.com/evild3ad/Get-MiniTimeline/blob/9ea8d83e20d685dd14ebe3b6f646f0980579c223/Screenshots/04.png)  \n**Fig 4:** Timeline_Slice.xlsx - The dateRange will be auto-beautified as colorized Excel sheet  \n\n![Timeline Explorer](https://github.com/evild3ad/Get-MiniTimeline/blob/9ea8d83e20d685dd14ebe3b6f646f0980579c223/Screenshots/05.png)  \n**Fig 5:** Timeline.csv - Full Timeline Analysis w/ Timeline Explorer (TLE)  \n\n## Dependencies\nKAPE v1.3.0.2 (2023-01-03)  \nhttps://ericzimmerman.github.io/  \nhttps://binaryforay.blogspot.com/search?q=KAPE  \nhttps://ericzimmerman.github.io/KapeDocs/  \nhttps://www.kroll.com/kape  \n\nEvtxECmd v1.5.0.0 (.NET 6)  \nhttps://ericzimmerman.github.io/  \n\nMFTECmd v1.2.2.0 (.NET 6)  \nhttps://ericzimmerman.github.io/    \n\nRegRipper v3.0 (2020-05-28)     \nhttps://github.com/keydet89/RegRipper3.0  \n\nTLN Tools   \nhttps://github.com/mdegrazia/KAPE_Tools   \nhttps://github.com/keydet89/Tools/tree/master/exe   \n\nImportExcel v7.8.9 (2024-05-18)     \nhttps://github.com/dfinke/ImportExcel  \n  \n\n## Links\n[SANS Webcast: Triage Collection and Timeline Generation with KAPE](https://www.youtube.com/watch?v=iYyWZSNBNcw)  \n[SANS DFIR Blog: Triage Collection and Timeline Generation with KAPE](https://digital-forensics.sans.org/blog/2019/08/22/triage-collection-and-timeline-generation-with-kape)  \n[Kroll - Express Artifact Analysis and Timeline Development with KAPE (YouTube)](https://www.youtube.com/watch?v=O5VW0Yr7guQ)  \n[Kroll - Express Artifact Analysis and Timeline Development with KAPE (Slides)](https://www.kroll.com/-/media/kroll/pdfs/webinars/artifact-analysis-timelining-with-kape.pdf)","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fevild3ad%2FGet-MiniTimeline","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fevild3ad%2FGet-MiniTimeline","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fevild3ad%2FGet-MiniTimeline/lists"}