Get-MiniTimeline
Get-MiniTimeline.ps1 is a PowerShell script utilized to collect several forensic artifacts from a mounted forensic image and auto-generate a beautified MiniTimeline from the data collected.
Forensic Artifacts:
- Master File Table ($MFT)
- Windows Event Logs
- Windows Registry
Download
Download the latest version of Get-MiniTimeline from the releases section.
Usage
- Mount your forensic image with e.g. drive letter
G:
Note: When your forensic image has multiple partitions you may have to change the path to the Windows partition.
Fig 1: Arsenal Image Mounter (AIM)
-
Enter your drive letter in
Get-MiniTimeline.ps1
Input (Source)
$ROOT = "G:"
Optional: You can also change the outpath path.
$OUTPUT = "$env:USERPROFILE\Desktop\MiniTimeline\$ComputerName"
-
Run Windows PowerShell console as Administrator.
PS > .\Get-MiniTimeline.ps1 dateRange:MM/DD/YYYY-MM/DD/YYYY
Fig 2: Running Get-MiniTimeline.ps1 (Example)
Fig 3: Timeline_Slice.xlsx - The dateRange will be auto-beautified as colorized Excel sheet
Fig 4: Timeline.csv - Full Timeline Analysis w/ Timeline Explorer (TLE)
Dependencies
KAPE v0.8.8.0 (2019-10-23)
https://ericzimmerman.github.io/
https://binaryforay.blogspot.com/search?q=KAPE
https://ericzimmerman.github.io/KapeDocs/
EvtxECmd v0.5.2.0 (2019-08-26)
https://ericzimmerman.github.io/
MFTECmd v0.4.4.6 (2019-08-30)
https://ericzimmerman.github.io/
RegRipper v2.8 (2019-08-14)
https://github.com/keydet89/RegRipper2.8
TLN Tools
https://github.com/mdegrazia/KAPE_Tools
https://github.com/keydet89/Tools/tree/master/exe
ImportExcel 6.5.2
https://github.com/dfinke/ImportExcel
https://www.evild3ad.com/3910/quick-post-installing-importexcel-powershell-module/
ImportRegistryHive.psm1 by Chris Redit
https://blog.redit.name/posts/2015/powershell-loading-registry-hive-from-file.html
https://www.evild3ad.com/3940/installing-importregistryhive-powershell-module/
Links
SANS Webcast: Triage Collection and Timeline Generation with KAPE
SANS DFIR Blog: Triage Collection and Timeline Generation with KAPE