Home

Awesome

<img src="https://img.shields.io/badge/Language-Powershell-blue"> <img src="https://img.shields.io/badge/Maintenance%20Level-Actively%20Developed-brightgreen"> GitHub Release GitHub <a href="https://www.linkedin.com/in/martin-willing-86343565/"><img src="https://img.shields.io/badge/LinkedIn-evild3ad-0077B5.svg?logo=LinkedIn"></a> <a href="https://twitter.com/Evild3ad79"><img src="https://img.shields.io/twitter/follow/Evild3ad79?style=social"></a>

Get-MiniTimeline

Get-MiniTimeline.ps1 is a PowerShell script utilized to collect several forensic artifacts from a mounted forensic disk image and auto-generate a beautified MiniTimeline from the data collected.

Forensic Artifacts:

Download

Download the latest version of Get-MiniTimeline from the Releases section.

Usage

  1. Mount your forensic disk image with e.g. drive letter G:
    Note: When your forensic disk image has multiple partitions you may have to change the path to the Windows partition.

Arsenal Image Mounter Fig 1: Arsenal Image Mounter (AIM)

  1. Enter your drive letter in Get-MiniTimeline.ps1
    Input (Source)
    $ROOT = "G:"

Optional: You can also change the outpath path.
$OUTPUT_FOLDER = "$env:USERPROFILE\Desktop\MiniTimeline\$ComputerName"

  1. Run Windows PowerShell console as Administrator.
PS > .\Get-MiniTimeline.ps1 dateRange:MM/DD/YYYY-MM/DD/YYYY

PowerShell
Fig 2: Running Get-MiniTimeline.ps1 (Example)

MessageBox
Fig 3: Message Box

Colorized Excel
Fig 4: Timeline_Slice.xlsx - The dateRange will be auto-beautified as colorized Excel sheet

Timeline Explorer
Fig 5: Timeline.csv - Full Timeline Analysis w/ Timeline Explorer (TLE)

Dependencies

KAPE v1.3.0.2 (2023-01-03)
https://ericzimmerman.github.io/
https://binaryforay.blogspot.com/search?q=KAPE
https://ericzimmerman.github.io/KapeDocs/
https://www.kroll.com/kape

EvtxECmd v1.5.0.0 (.NET 6)
https://ericzimmerman.github.io/

MFTECmd v1.2.2.0 (.NET 6)
https://ericzimmerman.github.io/

RegRipper v3.0 (2020-05-28)
https://github.com/keydet89/RegRipper3.0

TLN Tools
https://github.com/mdegrazia/KAPE_Tools
https://github.com/keydet89/Tools/tree/master/exe

ImportExcel v7.8.9 (2024-05-18)
https://github.com/dfinke/ImportExcel

Links

SANS Webcast: Triage Collection and Timeline Generation with KAPE
SANS DFIR Blog: Triage Collection and Timeline Generation with KAPE
Kroll - Express Artifact Analysis and Timeline Development with KAPE (YouTube)
Kroll - Express Artifact Analysis and Timeline Development with KAPE (Slides)