Timeline Explorer is a program that started out as a means to view mactime and Plaso generated CSV timelines without the need to use Excel. From these two formats, it has expanded into a tool that supports a wide variety of file formats generated by forensic tools in addition to any random CSV or Excel file you may run across.
Note: Timeline Explorer is not meant to open very large files. It is best to open smaller, targeted timelines than one giant one.
It supports opening more than one document at a time, allows for conditional coloring, filtering and grouping, and much more.
For many files, Timeline Explorer is much faster at both opening and interacting with the data contained therein.
The interface is very simple:
The File menu contains the following options:
Open: Select one or more file to open
Export | Excel: Exports the active tab and view to Excel. What you see is what will be exported
Exit: Quits the program
The Tools menu contains the following options:
Show Details: Displays a dedicated form to inspect all data available in a Plaso generated timeline
Adjust font size: Changes the font size for the main grid
Options | Filter rows on Find: Controls whether or not data is filtered out or simply highlighted when using the Find feature
The Help menu contains the following options:
Quick help: Displays an overview of Timeline Explorer and how to use it
Legend: Contains the color codes used in mactime and super timelines for various types of artifacts
About: Contains information about the program version and contact info
Here is what Quick Help looks like:
The Legend looks like this:
Supported file formats
Timeline Explorer has built-in support for the following file formats and programs:
AmcacheParser Files and Programs
AnalyzeMft
AppCompatcacheParser
Autoruns
JLECmd
LECmd
Mactime timelines
PECmd
SBECmd
ShimcacheMemory
ShimcacheParser
Plaso super timelines
As mentioned above, TLE can also import any CSV or Excel file (first workbook only). The difference between the dynamically imported files and a supported file is TLE’s ability to massage the data (combining the Date and Time columns into a single timestamp is one such example).
Below are several examples of timelines that illustrate the conditional coloring capabilities of TLE. These colors correspond to the categories as outlined in the Legend.
Here is a Plaso timeline:
In this final example, the Color column has been used to group rows. The Color column is hidden by default, but right-clicking on any column header and selecting Column Chooser will bring up a means to add any hidden column to the interface.
Once the Color column was unhidden, it was dragged into the group by area at the top of the grid.
Using this technique allows you to quickly view different artifacts that fall into a specific category.
Diving into super timeline data
One of the drawbacks of super timelines is the sheer amount of information they can contain. For most forensic artifacts, it is difficult to represent hierarchical data in a horizontal fashion.
When we do this and then try to interact with it, we can end up with something as seen below:
Notice here the tooltip contains a wealth of information that is contained on a single line. If we select that cell and use CTRL-C to copy it to the clipboard, then paste it into a text editor, we can see the details a bit more clearly:
Even in this scenario, the data is not very clean in that there are tab and linefeed characters throughout. While we can certainly do a find and replace on those, that would be impractical in the long term.
TLE solves this problem by making all the data available in a super timeline visible (regardless of whether a column visibility in the main grid). It does this via the Details form which is available from the Tools menu. It can also be shown via the CTRL-D shortcut or by simply double-clicking a row.
Once the Details view is populated, the data is normalized by replacing the special characters to make the data much easier to read.
There are several options available on the Details form including the ability to keep it on top of the main window. This is useful if you want to navigate data in the grid by clicking on the grid and using the arrow keys to navigate. Of course, with multiple monitors or higher resolutions, this becomes less of an issue. There are also two buttons in the lower right that allow for navigating entries.
At the top of the Details window, the currently selected Line number is shown. The active row in the grid is indicated by a triangle in the far left column.
Other capabilities
Once a document is opened, TLE allows for searching, filtering, and grouping. TLE knows when a column contains a timestamp, and when it finds one, it applies a common datetime format (yyyy-MM-dd HH:mm:ss) to these columns. Because TLE knows the columns contain timestamps, it allows for powerful filtering as shown in the examples below.
Like all other columns, the filter is invoked via the funnel icon in the upper right corner of a column.
The Values tab contains a granular way to filter based on timestamps:
The Date Filters tab allows for quickly filtering based on specific time periods:
Searching
To search, press CTRL-F or select the option via the context menu available by right-clicking on any column header.
Once the Find panel is visible, enter in search criteria and any matching text will be highlighted.
Notice in the example below, the total rows is the same as the visible rows.
Recall there is an option that controls whether rows not containing the search term are filtered out.
If this option is enabled and we do the same search again, notice what happens:
Here we can see the rows that didn’t contain our search term are now filtered out.
Tagging
All natively supported formats include the ability to tag rows via CTRL-T. This shortcut will tag or untag a row depending on its current state.
To tag, select one or more rows, then press CTRL-T. A checkbox will indicate tagged rows as seen below.
Because the tag status is maintained in its own row, we can filter for tagged rows. Let’s say during the course of a review, several rows of interest were found by the investigator and tagged. This slice of the timeline can then be exported to Excel.
To do this, we first filter for tagged rows via the Tag column’s filter, then Export via the File menu.
The data in the grid will be exported exactly as it is shown. This allows you to hide or reorder columns and so on and have the exact representation of data available to you in the Excel document TLE will generate.
Below is an example of what the data from above looks like in Excel.
Dynamic mode
Below is a random Excel file (you know this because the column names say so…) as seen in Excel:
When this file is imported into TLE, we get this:
A CSV example is next. First, let’s take a look at our source document:
Once imported into TLE, it looks like this:
Once a document is dynamically imported, all of the searching, filtering, and grouping capabilities of TLE can be leveraged against the data.
I hope you find Timeline Explorer interesting. If you have any file formats you would like to be natively supported in Timeline Explorer, please let me know.
You can get Timeline Explorer in the usual place as well as Chocolatey.
Article Link: http://binaryforay.blogspot.com/2017/04/introducing-timeline-explorer-v0400.html