Skip to content

Get-MiniTimeline - Triage Collection and Timeline Generation w/ KAPE

License

Notifications You must be signed in to change notification settings

evild3ad/Get-MiniTimeline

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

41 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

GitHub Release GitHub

Get-MiniTimeline

Get-MiniTimeline.ps1 is a PowerShell script utilized to collect several forensic artifacts from a mounted forensic disk image and auto-generate a beautified MiniTimeline from the data collected.

Forensic Artifacts:

  • Master File Table ($MFT)
  • Windows Event Logs
  • Windows Registry

Download

Download the latest version of Get-MiniTimeline from the Releases section.

Usage

  1. Mount your forensic disk image with e.g. drive letter G:
    Note: When your forensic disk image has multiple partitions you may have to change the path to the Windows partition.

Arsenal Image Mounter Fig 1: Arsenal Image Mounter (AIM)

  1. Enter your drive letter in Get-MiniTimeline.ps1
    Input (Source)
    $ROOT = "G:"

Optional: You can also change the outpath path.
$OUTPUT_FOLDER = "$env:USERPROFILE\Desktop\MiniTimeline\$ComputerName"

  1. Run Windows PowerShell console as Administrator.
PS > .\Get-MiniTimeline.ps1 dateRange:MM/DD/YYYY-MM/DD/YYYY  

PowerShell
Fig 2: Running Get-MiniTimeline.ps1 (Example)

MessageBox
Fig 3: Message Box

Colorized Excel
Fig 4: Timeline_Slice.xlsx - The dateRange will be auto-beautified as colorized Excel sheet

Timeline Explorer
Fig 5: Timeline.csv - Full Timeline Analysis w/ Timeline Explorer (TLE)

Dependencies

KAPE v1.3.0.2 (2023-01-03)
https://ericzimmerman.github.io/
https://binaryforay.blogspot.com/search?q=KAPE
https://ericzimmerman.github.io/KapeDocs/
https://www.kroll.com/kape

EvtxECmd v1.5.0.0 (.NET 6)
https://ericzimmerman.github.io/

MFTECmd v1.2.2.0 (.NET 6)
https://ericzimmerman.github.io/

RegRipper v3.0 (2020-05-28)
https://github.com/keydet89/RegRipper3.0

TLN Tools
https://github.com/mdegrazia/KAPE_Tools
https://github.com/keydet89/Tools/tree/master/exe

ImportExcel v7.8.9 (2024-05-18)
https://github.com/dfinke/ImportExcel

Links

SANS Webcast: Triage Collection and Timeline Generation with KAPE
SANS DFIR Blog: Triage Collection and Timeline Generation with KAPE
Kroll - Express Artifact Analysis and Timeline Development with KAPE (YouTube)
Kroll - Express Artifact Analysis and Timeline Development with KAPE (Slides)