https://github.com/acquiredsecurity/shotliner
??????
https://github.com/acquiredsecurity/shotliner
Last synced: 10 months ago
JSON representation
??????
- Host: GitHub
- URL: https://github.com/acquiredsecurity/shotliner
- Owner: acquiredsecurity
- License: mit
- Created: 2025-05-03T04:47:04.000Z (about 1 year ago)
- Default Branch: main
- Last Pushed: 2025-05-04T02:57:27.000Z (about 1 year ago)
- Last Synced: 2025-08-16T22:47:18.582Z (11 months ago)
- Language: C#
- Size: 243 KB
- Stars: 1
- Watchers: 1
- Forks: 0
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
- License: LICENSE
Awesome Lists containing this project
README
# shotliner

# Shotliner
**Shotliner** is a malware forensic timeline diffing tool. Inspired by [Regshot](https://github.com/Seabreg/Regshot), it compares a clean baseline forensic timeline against a post-infection timeline to identify newly introduced artifact activity. Ideal for malware triage, reverse engineering, and forensic investigations. Always take a snapshot of your clean VM! Take a baseline collection and process your raw forensic artifacts with the tools below. Once you have a baseline you shouldn;t have take one again if you always revert to a clean snapshot on your analysis VM.
Tools you should use for triage collection and data processing supported by ForensicTimeliner
- Kape/EZ tools
- Axiom
- Chainsaw
- Hayabusa
- Run [ForensicTimeliner](https://github.com/acquiredsecurity/forensic-timeliner) on the output from your processing tools and create a forensic timeline. Now you have a baseline of your VM for comparison to your output post Malware Execution!
Execute your malware sample and let it run for the duration of your intended analysis and then take a second forensic artifact collection of the VM/Host.
Rerun your variaition of EZ Tools, Axiom, Chainsaw, Hayabusa and then again run ForensicTimeliner.
Now you have TWO timelines one pre execution and one post execution.
Use shotliner to run a dif between the two forensictimeliner outputs to more easily find malware based activities and elminate all the known behaviors from your timeline to quickly get to the bad!
```sample commandline
.\shotliner.exe --Base C:\Users\admin0x\Desktop\shotliner\test\base\20250502_235216_ForensicTimeliner.csv --New C:\Users\admin0x\Desktop\shotliner\test\infected\20250502_235455_ForensicTimeliner.csv --Output diff.csv
```
| Argument | Description |
| ---------- | -------------------------------------------- |
| `--Base` | Path to the clean baseline timeline CSV |
| `--New` | Path to the infected/post-event timeline CSV |
| `--Output` | (Optional) Custom output path for diff CSV |
| `--Help` | Displays this help menu |
---
## Features
- **Artifact Diffing**: Compares two CSV timeline exports from ForensicTimeliner and highlights only newly introduced rows.
- **No Date-Based Filtering**: Diffing is performed on key behavioral fields, not timestamps.
- **Modular Fields**: Supports standard ForensicTimeliner output headers.
- **Portable & Lightweight**: Single EXE, no dependencies.
- **CSV Output**: Generates a timestamped diff CSV in standard timeline format.
---
## Timeline Format
Shotliner expects timeline input files in the [ForensicTimeliner](https://github.com/acquiredsecurity/forensic-timeliner) format, which aggregates artifact data collected from:
- [Eric Zimmerman's KAPE and EZ Tools](https://ericzimmerman.github.io/)
- [Magnet Axiom](https://www.magnetforensics.com/)
- [Chainsaw](https://github.com/WithSecureLabs/chainsaw)
- [Hayabusa](https://github.com/Yamato-Security/hayabusa)
```csv
DateTime,TimestampInfo,ArtifactName,Tool,Description,DataDetails,DataPath,FileExtension,EventId,User,Computer,FileSize,IPAddress,SourceAddress,DestinationAddress,SHA1,Count,EvidencePath
```