Forensic-Timeliner is a fast, open-source command-line tool designed to help digital forensics and incident response (DFIR) teams quickly build a unified timeline of Windows artifacts.
By automatically collecting, filtering, and merging CSV output from popular triage tools, it creates a mini timeline that is ready for analysis in tools like Timeline Explorer or Excel, as reported by Security Researchers.
Key Features
Unified Timeline Creation – Forensic-Timeliner scans a base directory for CSV files from tools such as EZ Tools, Kape, Axiom, Chainsaw, Hayabusa, and Nirsoft. It merges data from Amcache, Event Logs, MFT, Prefetch, JumpLists, shellbags, browser histories, and more into a single timeline.
Automatic CSV Discovery – The tool discovers CSV files based on folder names, file names, or column headers. Default YAML settings handle most common tool outputs, so minimal configuration is needed.
Date Filtering and Deduplication – Investigators can specify start and end dates to include only relevant events. Duplicate rows are automatically removed if desired, keeping the timeline concise.
Keyword Tagging and TLE Session Support – Built-in support for keyword tagging lets users define keywords in a YAML file. When enabled, the tool generates a Timeline Explorer (.tle_sess) session with tagged events, highlighting items of interest.
Interactive CLI and Preview – An interactive mode guides users through filter and tagger settings. Spectre.Console rendering shows rich previews of MFT filters, event log filters, and keyword groups before processing.
Flexible Output Formats – Export the timeline as CSV, JSON, or JSONL. The CSV output is RFC-4180 compliant for compatibility with other tools.
Extensive Artifact Support – Detailed YAML configurations allow custom filters for file extensions, paths, event channels, and providers. The default settings focus on high-value timestamps and extensions to streamline review.
Installation and Quick Start
- Download the Latest Release
Visit the Forensic-Timeliner GitHub releases page and download the latest ForensicTimeliner.exe (v2.2 or newer). - Prepare Triage Data
Ensure your triage output directories contain CSV files with default or custom names (e.g., Hayabusa.csv, JumpLists.csv, AmCache File Entries.csv). - Run Forensic-Timeliner
Open a command prompt and execute:
ForensicTimeliner.exe --InteractiveThis launches an interactive setup to select filters and enable the keyword tagger.
- Generate a Timeline
For automatic processing without prompts, use:
ForensicTimeliner.exe --BaseDir "C:triagehost01" --ALL --OutputFile "C:timelineshost01.csv"- Enable Keyword Tagging (Optional)
Define keyword groups in config/keywords/keywords.yaml. Then run:
ForensicTimeliner.exe --BaseDir "C:triagehost01" --EnableTagger --OutputFile "C:timelineshost01"A .tle_sess file is created for Timeline Explorer.Forensic-Timeliner streamlines the process of building forensic timelines by automating CSV discovery, filtering, deduplication, and keyword tagging.
Its interactive CLI and flexible output options make it an essential tool for DFIR investigators seeking to save time and maintain accuracy during incident response.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
