https://github.com/andreafortuna/autotimeliner

Automagically extract forensic timeline from volatile memory dump
https://github.com/andreafortuna/autotimeliner

dfir forensics python volatility

Last synced: 2 months ago
JSON representation

Automagically extract forensic timeline from volatile memory dump

• Host: GitHub
• URL: https://github.com/andreafortuna/autotimeliner
• Owner: andreafortuna
• License: mit
• Created: 2018-11-12T16:13:32.000Z (about 6 years ago)
• Default Branch: master
• Last Pushed: 2024-05-07T14:20:13.000Z (9 months ago)
• Last Synced: 2024-08-02T20:44:11.892Z (6 months ago)
• Topics: dfir, forensics, python, volatility
• Language: Python
• Size: 15.6 KB
• Stars: 123
• Watchers: 17
• Forks: 24
• Open Issues: 2
• Metadata Files:
  • Readme: README.md
  • License: LICENSE

Awesome Lists containing this project

• awesome-memory-forensics - AutoTimeliner
• awesome-hacking-lists - andreafortuna/autotimeliner - Automagically extract forensic timeline from volatile memory dump (Python)

README

        
# AutoTimeliner

![Autotimeliner](https://i2.wp.com/www.andreafortuna.org/wp-content/uploads/2018/11/autotimeliner.gif)

Automagically extract forensic timeline from volatile memory dumps.

## Requirements

- Python 3

- Volatility

- mactime (from SleuthKit)

(Developed and tested on Debian 9.6 with **Volatility 2.6-1** and **sleuthkit 4.4.0-5**)

## How it works

AutoTimeline automates this [workflow](https://andreafortuna.org/2018/02/16/forensic-timeline-creation-my-own-workflow/):

- Identify correct volatility profile for the memory image.

- Runs the **timeliner** plugin against volatile memory dump using volatility. 

- Runs the **mftparser** volatility plugin, in order to extract $MFT from memory and generate a bodyfile. 

- Runs the **shellbags** volatility plugin in order to generate a bodyfile of the user activity. (suggested by [Matteo Cantoni](https://github.com/mcantoni)). 

- Merges the **timeliner**, **mftparser** and **shellbags** output files into a single bodyfile. 

- Sorts and filters the bodyfile using **mactime** and exports data as CSV.

## Installation

Simply clone the GitHub repository:

`git clone https://github.com/andreafortuna/autotimeliner.git`

## Usage

```

autotimeline.py [-h] -f IMAGEFILE [-t TIMEFRAME] [-p CUSTOMPROFILE]

optional arguments:

  -h, --help            show this help message and exit

  -f IMAGEFILE, --imagefile IMAGEFILE

                        Memory dump file

  -t TIMEFRAME, --timeframe TIMEFRAME

                        Timeframe used to filter the timeline (YYYY-MM-DD

                        ..YYYY-MM-DD)

  -p CUSTOMPROFILE, --customprofile CUSTOMPROFILE

                        Jump image identification and use a custom memory

                        profile

```

### Examples

Extract timeline from *TargetServerMemory.raw*, limited to a timeframe from **2018-10-17** to **2018-10-21**:

`./autotimeline.py -f TargetServerMemory.raw -t 2018-10-17..2018-10-21`

Extract timeline from all images in current directory, limited to a timeframe from 2018-10-17 to 2018-10-21:

`./autotimeline.py -f ./*.raw -t 2018-10-17..2018-10-21`

Extract timeline from *TargetServerMemory.raw*, using a custom memory profile:

`./autotimeline.py -f TargetServerMemory.raw -p Win2008R2SP1x64`

All timelines will be saved as **$ORIGINALFILENAME-timeline.csv**.

## TODO

- Better image identification

- Better error trapping