Get-MiniTimeline.ps1 is a PowerShell script utilized to collect several forensic artifacts from a mounted forensic disk image and auto-generate a beautified MiniTimeline from the data collected.
Forensic Artifacts:
- Master File Table ($MFT)
- Windows Event Logs
- Windows Registry
Download the latest version of Get-MiniTimeline from the Releases section.
- Mount your forensic disk image with e.g. drive letter
G:
Note: When your forensic disk image has multiple partitions you may have to change the path to the Windows partition.
Fig 1: Arsenal Image Mounter (AIM)
- Enter your drive letter in
Get-MiniTimeline.ps1
Input (Source)
$ROOT = "G:"
Optional: You can also change the outpath path.
$OUTPUT_FOLDER = "$env:USERPROFILE\Desktop\MiniTimeline\$ComputerName"
- Run Windows PowerShell console as Administrator.
PS > .\Get-MiniTimeline.ps1 dateRange:MM/DD/YYYY-MM/DD/YYYY
Fig 2: Running Get-MiniTimeline.ps1 (Example)
Fig 3: Message Box
Fig 4: Timeline_Slice.xlsx - The dateRange will be auto-beautified as colorized Excel sheet
Fig 5: Timeline.csv - Full Timeline Analysis w/ Timeline Explorer (TLE)
KAPE v1.3.0.2 (2023-01-03)
https://ericzimmerman.github.io/
https://binaryforay.blogspot.com/search?q=KAPE
https://ericzimmerman.github.io/KapeDocs/
https://www.kroll.com/kape
EvtxECmd v1.5.0.0 (.NET 6)
https://ericzimmerman.github.io/
MFTECmd v1.2.2.0 (.NET 6)
https://ericzimmerman.github.io/
RegRipper v3.0 (2020-05-28)
https://github.com/keydet89/RegRipper3.0
TLN Tools
https://github.com/mdegrazia/KAPE_Tools
https://github.com/keydet89/Tools/tree/master/exe
ImportExcel v7.8.9 (2024-05-18)
https://github.com/dfinke/ImportExcel
SANS Webcast: Triage Collection and Timeline Generation with KAPE
SANS DFIR Blog: Triage Collection and Timeline Generation with KAPE
Kroll - Express Artifact Analysis and Timeline Development with KAPE (YouTube)
Kroll - Express Artifact Analysis and Timeline Development with KAPE (Slides)
React
Typescript
Django
Laravel
Facebook
Microsoft
Google
Alibaba
D3
Tencent