Autotimeliner – Extract Forensic Timeline from Memory Dump

Autotimeliner extract forensic timeline from volatile memory dump. This tool were added to CAINE 11 and you can install it separately with the listed dependencies Python 3 , Volatility and mactime (from SleuthKit).

Autotimeliner - Extract Forensic Timeline from Volatile Memory Dump
Autotimeliner – Extract Forensic Timeline from Volatile Memory Dump

The tool were Developed and tested on Debian 9.6 with Volatility 2.6-1 and sleuthkit 4.4.0-5.

AutoTimeline automates this workflow:

  • Identify correct volatility profile for the memory image.
  • Runs the timeliner plugin against volatile memory dump using volatility.
  • Runs the mftparser volatility plugin, in order to extract $MFT from memory and generate a bodyfile.
  • Runs the shellbags volatility plugin in order to generate a bodyfile of the user activity.
  • Merges the timeliner, mftparser and shellbags output files into a single bodyfile.
  • Sorts and filters the bodyfile using mactime and exports data as CSV.

Some usage example for this tool are:

  • Extract timeline from TargetServerMemory.raw, limited to a timeframe from 2018-10-17 to 2018-10-21:./ -f TargetServerMemory.raw -t 2018-10-17..2018-10-21
  • Extract timeline from all images in current directory, limited to a timeframe from 2018-10-17 to 2018-10-21: ./ -f ./*.raw -t 2018-10-17..2018-10-21
  • Extract timeline from TargetServerMemory.raw, using a custom memory profile: ./ -f TargetServerMemory.raw -p Win2008R2SP1x64

All timelines will be saved as $ORIGINALFILENAME-timeline.csv.

CSV file format will allow incident handler to quickly browse the data and filter required timeline for the attack and based on the extracted information he can find the attack scenario and generate the forensic report.

You can read more and download the tool over here:

Notify of
Inline Feedbacks
View all comments