This is basic guide on some common steps to create timelines / super timelines. It may not be applicable to every situation and you should adapt this to your preferences, tools and investigative requirements.
This assumes you have a disk image in E01 format and a memory image collected from the same machine.
ewfmount {path/to/file}.E01 /mnt/ewf_mount
cd /mnt/ewf_mount
mount -o ro,loop,show_sys_files,streams_interface+windows ewf1 /mnt/windows_mountfls -r -m C: {path/to/file}.E01 > {path/to/file}-bodyfile
vol.py -f {path/to/file}.raw --profile=PROFILE timeliner --output=body --outputfile={path/to/file}/timeliner.body
cat {path/to/file}/timeliner.body >> {path/to/file}-bodyfile
mactime -d -b {path/to/file}-bodyfile {start date}..{end date} > {path/to/file}-mactime-timeline.csv
If there is a keyword whitelist, this can be used to filter against.
grep -v -i -f {path/to/file}whitelist.txt {path/to/file}-mactime-timeline.csv > {path/to/file}-mactime-timeline-final.csv
cd /mnt/windows_mount/users/{USERNAME}
rip.pl -r NTUSER.DAT -p recentdocs > {path/to/file}/recent-docs.txt
cat {path/to/file}/recent-docs.txtcd /mnt/windows_mount/users/{USERNAME}
rip.pl -r NTUSER.DAT -p wordwheelquery > {path/to/file}/wordwheelquery.txt
cat {path/to/file}/wordwheelquery.txtpf -v /mnt/windows_mount/Windows/Prefetch/{prefetchfile}.pfewfmount {path/to/file}.E01 /mnt/ewf_mount
cd /mnt/ewf_mount
mount -o ro,loop,show_sys_files,streams_interface+windows ewf1 /mnt/windows_mountlog2timeline.py {path/to/file}plaso.dump {path/to/file}.E0
psort.py -z "UCT" -o L2tcsv {path/to/file}plaso.dump "date > '{start date}' AND date < 'end date'" > {path/to/file}plaso.csv
Note: The dates should be in YYYY-MM-DD HH:MM:SS format. For example: 2018-01-01 00:00:01.
grep -v -i -f {path/to/file}whitelist.txt {path/to/file}plaso.csv > supertimeline.csv