Super Timeline Quick Reference

If you haven't watched it already, there's some great YouTube videos by Richard Davis of 13cubed that I suggest you start with. If you're just looking for the commands to run, scroll towards the bottom. There are a LOT of advanced options that could be used, this is just my own quick reference for general use.

Forensics with fls, Volatility and Timeline Explorer - ft. 13cubed
Getting Started with Plaso and Log2Timeline - Forensic Timeline Creation
Plaso and WSL 2 - The WSL Adventures Continue...

First, lets grab Volatility 3 and Plaso Tools

pip3 install yara-python
pip3 install pycrypto
pip3 install pefile
pip3 install capstone
git clone --branch stable
sudo add-apt-repository ppa:gift/stable
sudo apt update
sudo apt install plaso-tools

Now lets get the required information

Now that we have both tools installed, we need to extract the needed information from both our memory and disk image. Lets start by creating a body file from the memory image.
python3 -f physical-memory.img timeliner.Timeliner --create-bodyfile
Next, we need the plaso timeline file from the disk image. plaso.dump diskimage.raw
edit: This is now: --storage-file plaso.dump diskimage.raw

Combine these two files

I wanted to make this it's own section. Right now (25 July 2021), Volatility3's timeline is incompatible with log2timeline. The details are here:

The summary is though, that you need to do some formatting prior to importing these files. Every blank "column" should contain some value (0's work, not sure what else does). E.g. if you start with:

|PsList - Process: 343 services.exe (902309408234)|||||||||1627261200

You need to change the formatting such as:

0|PsList - Process: 343 services.exe (902309408234)|0|0|0|0|0|0|0|0|1627261200

Once that is done, you can import the body file like so: --parsers="mactime" plaso.dump volatility.body

And finally, create the timeline.

We have a few options here.
To create a complete timeline of everything on the machine, we can run psort with no real arguments: -o l2tcsv -w timeline.csv plaso.dump
To grab a slice of time, we can specify the --slice command, , and a timestamp in ISO 8601 format, for example: 2004-09-20T16:13:02. Note that the example on command line is wrong, but the example in the documentation is correct. Psort will grab everything 5 minutes before, and 5 minutes after that timestamp: -o l2tcsv -w timeline.csv plaso.dump --slice '2020-02-29T15:00:00'
The one used most often is to bookend times, telling Psort to grab everything greater than one date and less than another. That one looks like: -o l2tcsv -w timeline.csv plaso_mem_combined.dump "date > '2021-06-13 23:59:59' AND date < '2021-07-22 00:00:01'"

Two more things to be aware of

We can use plaso.dump to get information on what the plaso dump contains.
We can use --source image.raw -o l2tcsv -w timeline.csv to go stright from the disk image to a timeline csv, essentially combining and with no options. Because this command doesn't have any options (combiningin the memory body file, bookending times, etc.), it's not as useful.

These are things that came in useful at the time, but aren't necessarily related to super timeline creation.

While browsing the mounted image, I got tired of waiting for permissions to propagate. Use PowerShell or icacls to set entire folders of interest to Everyone

$path = 'G:\Users\someuser'
$acl = Get-Acl -Path $path
$accessrule = New-Object System.Security.AccessControl.FileSystemAccessRule ('Everyone', 'FullControl', 'ContainerInherit, ObjectInherit', 'none', 'Allow')
Set-Acl -Path $path -AclObject $acl

icacls "G:\Users\someuser" /grant Everyone:(OI)(CI)F /T

For some reason in WSL2, I couldn't browse my USB hard drive containing the evidence. Apparently this is related to unclean ejection. Fix that with:

sudo umount /mnt/f
sudo mount -t drvfs F: /mnt/f either isn't parsing my VSS snapshots, or it now silently parses them in the background. Some more info on that here: Note that I did get the prompt to select the partition I wanted when I made a physical image though. doesn't seem to want to decrypt bitlocker partitions with the 48 digit recovery key. It does correctly identify these, but when prompted, none of the key's or passwords seem to use this recovery key. I assume none of the below options are actually meant for this key, but that would be a fantasic addition.

Found a BitLocker encrypted volume.

Supported credentials:

  1. password
  2. recovery_password
  3. startup_key
  4. skip