(Note: This post is not about Windows 10's new Timeline feature (but don't miss Windows 10 Timeline Forensic Artefacts and WxTCmd, a parser for the Windows 10 Timeline database.))
Replay / rewind Windows events and actions to:
Unlike the lengthy forensic and incident response tools listed below, Nir Sofer's LastActiviyView runs on a live system within seconds, reporting:
In 2014, Thomas Weller combined LastActiviyView with a host of additional Nirsoft utilities to create Live System Timeline Builder, which builds a super timeline of a running Windows machine in seconds. The unified view includes results from:
While Live System Timeline Builder comes packaged as an installer, the resulting folder (%PROGRAMFILES(X86)%\WelliSolutions\LiveSystemTimeLineBuilder\) is completely portable; you just need LiveSystemTimelineBuilder.exe, EPPlus.dll, and the Providers subdirectory.
You can even update the Nirsoft apps in Providers as well (the latest RegDllView, 1.60, does not appear compatible, so stick with the included 1.58).
If you have more time to dig, there are a number of exhaustive (and time-consuming) timeline tools focused on forensics and incident response:
Autopsy "is a digital forensics platform and graphical interface to The Sleuth Kit and other digital forensics tools. It is used by law enforcement, military, and corporate examiners to investigate what happened on a computer." Includes detailed timeline analysis.
Crowd Response "is a lightweight Windows console application designed to aid in the gathering of system information for incident response and security engagements."
FastIR Collector "collects different artefacts on live Windows and records the results in csv or json files."
Forensafe Timeline Analyzer "will take physical and logical disks, image files and RAM as input to recover artifacts." (Project status unclear, but calimelo's reply in this thread includes a link to a password-protected RAR archive.)
ir-rescue - "A Windows Batch script and a Unix Bash script to comprehensively collect host forensic data during incident response."
KeyChain KeySpace "utilizes digital forensic techniques for cyber criminal investigations, internal audits, and industrial confidential disclosures. It is a solution that supports automatic analysis easily and conveniently. Analyze file formats and raw data for professional analysis." (via Google Translate)
Redline - "Thoroughly audit and collect all running processes and drivers from memory, file-system metadata, registry data, event logs, network information, services, tasks and web history."
Timesketch - "Collaborative forensic timeline analysis"
Virtual machine appliances:
* Unlikely that they erased all (if any) traces.
/windows | May 11, 2018
Subscribe or visit the archives