autotimeliner: Automagically extract forensic timeline from volatile memory dump

AutoTimeliner

Automagically extract forensic timeline from volatile memory dumps.

How it works

AutoTimeline automates this workflow:

  • Identify the correct volatility profile for the memory image.
  • Runs the timeliner plugin against volatile memory dump using volatility.
  • Runs the mftparser volatility plugin, in order to extract $MFT from memory and generate a bodyfile.
  • Runs the shellbags volatility plugin in order to generate a bodyfile of the user activity. (suggested by Matteo Cantoni).
  • Merges the timelinermftparser, and shellbags output files into a single bodyfile.
  • Sorts and filters the bodyfile using mactime and export data as CSV.

Install

Requirements

  • Python 3
  • Volatility
  • mactime (from SleuthKit)

git clone https://github.com/andreafortuna/autotimeliner.git

Use

Examples

Extract timeline from TargetServerMemory.raw, limited to a timeframe from 2018-10-17 to 2018-10-21:

./autotimeline.py -f TargetServerMemory.raw -t 2018-10-17..2018-10-21

Extract timeline from all images in the current directory, limited to a timeframe from 2018-10-17 to 2018-10-21:

./autotimeline.py -f ./*.raw -t 2018-10-17..2018-10-21

Extract timeline from TargetServerMemory.raw, using a custom memory profile:

./autotimeline.py -f TargetServerMemory.raw -p Win2008R2SP1x64

All timelines will be saved as $ORIGINALFILENAME-timeline.csv.

Copyright (c) 2018 Andrea Fortuna

Source: https://github.com/andreafortuna/