I am going to try something different for this post and the other I plan to do in this type of upcoming articles because I plan to speak about different tools in ‘Digital Forensics & Incident Response’ starting with all the tools by Eric Zimmerman and then moving on to others.
Partly this is for others to read and use but mainly for me as I am using these tools now on a weekly\daily basis in my day job so thought it would be pretty cool to type up all I am learning but also to read through other articles about the tool, watch YouTube videos on it and take notes for these articles for you to learn but also in the hope that it hopefully sinks in with me also.
When I first started using these tools, I am ashamed to say I didn’t really know what ‘Timeline Explorer’ was used for and just how important it is especially when coupled with the other Eric Zimmerman tools and wish someone told me that THIS tool ‘Timeline Explorer’ is what is essentially used to read nearly all the exports and parsed data from the other tools, yes, it is that important and I never realised for months.
What is Timeline Explorer?
On Eric’s page where you can download all his tools from, he says the very modest:-
“View CSV and Excel files, filter, group, sort, etc. with ease”
Created by Eric Zimmerman this is a utility developed for viewing timeline data of different files including comma-separated values (CSV) and Excel files. This utility allows the conversion of body file into CSVs and grants easy filtering, grouping, and sorting excel files.
I was reading on Binary Foray over on BlogSpot that:-
“Timeline Explorer is a program that started out as a means to view mactime and Plaso generated CSV timelines without the need to use Excel. From these two formats, it has expanded into a tool that supports a wide variety of file formats generated by forensic tools in addition to any random CSV or Excel file you may run across.”
Ok so after doing some investigating into the tool, I found some ridiculous resources and I felt I would be just repeating a lot of what is said so I am just going to be lazy and link to them.
First up and the NUMBER ONE PLACE to go and visit for a read is over on the site aboutdfir, absolutely fantastic site covers a few tools already one of which is this one including great graphics showing all about the tool :- https://aboutdfir.com/toolsandartifacts/windows/timeline-explorer/
Next up is a video by SANS Digital Forensics and Incident Response ‘Episode 87: Introducing and Using Timeline Explorer’.
“In this episode, we will walk through the use and output of the Timeline Explorer tool written by Eric Zimmerman. This tool shows how to ingest data, and filter and sort it for better granularity in an investigation.
The SANS 3MinMax series with Kevin Ripa is designed around short, three-minute presentations on a variety of topics from within Digital Forensics, Incident Response, and to a lesser degree, Information Security.”
And lastly is a video by an absolute legend who I will be interviewing in my next post 13Cubed ‘Getting Started with Plaso and Log2Timeline – Forensic Timeline Creation’ with the reason for this being you get to see Richard actually using it to view parsed files so you get a real feel and understanding on how it should be used.
“In this episode, we’ll take an in-depth look at how to install and use Plaso/Log2Timeline to create a super timeline of events on a computer system. This is made possible by the automatic parsing of numerous forensic artifacts alongside the extraction of their associated timestamps. The result can be an investigator’s dream, providing a single place to look to “find evil” and potentially solve a case. The process isn’t without its caveats, but don’t worry – we’ll cover everything you need to know to get started!”
Thanks for reading and apologies for the laziness in just posting other peoples work but they explain it all so well it makes no sense at all me doing the same, I promise I will have my work cut out with me as there is a few tools with not much about them out there I will be writing about so stay tuned.
Here is a couple more links and be sure to follow, subscribe and support all the people mentioned 😊
Take it easy