Automagically extract forensic timeline from volatile memory dumps. Requirements Python Volatility mactime (from SleuthKit) How it works AutoTimeline automates this workflow: Identify correct volatility profile for the memory image. Runs the timeliner plugin against volatile memory dump using volatility. Runs the mftparser volatility plugin, in order to extract $MFT from memory and generate a bodyfile. Runs the shellbags volatility plugin in order to generate a bodyfile of the user activity. (suggested by Matteo Cantoni). Merges the timeliner, mftparser and shellbags output files into a single bodyfile. Sorts and filters the bodyfile using mactime and exports data as CSV.
Category: Timelines
Category URL: http://www.dfir.training/component/mtree/forensic-utilities/timelines?Itemid=