AboutDFIR.com – The Definitive Compendium Project
Digital Forensics & Incident Response

Timeline Explorer

Table of Contents

Introduction

Timeline Explorer is a free, feature-rich Excel replacement that’s catered specifically for digital forensic examinations. There are a handful of quality of life features over Excel that are worth considering for any examiners who live in Excel/CSV output when conducting analysis. Timeline Explorer is a GUI only tool so that’s all we will cover in this guide!

For a few of the examples on Page 2 of this guide, I employ output from KAPE ran against the Lone Wolf 2018 Scenario. As of December 2020, the output from KAPE can be retrieved from a GitHub repository of I put together for the purpose of these EZ Tools guides. The GitHub repository can be found here.

Target Audience

This guide was created with those new to Timeline Explorer in mind, regardless of background (LE, Private, Student, etc). It should be noted the primary purpose of this guide is aimed to help break the intimidation barrier with trying out a new tool such as Timeline Explorer . There are certainly more advanced ways to leverage Timeline Explorer but they will not be covered in this guide. Maybe in a future guide! If by the end of this guide you don’t think to yourself “hey, I can totally use this in my day to day work”, then please let me know why that’s not the case. 

I also understand Excel is a very comfortable, ubiquitous tool that can serve as a “one size fits all” for many use cases and get the job done. However, this guide is meant to expose examiners to the benefits Timeline Explorer can provide. Ultimately, it will be a matter of personal preference but this guide will help you make an informed decision and expand your horizons.

One last thing I want to mention, in the interest of making the GIFs viewable on the most common screen resolutions and sizes, the tool will not be shown in a maximized state. Under normal circumstances, I use Timeline Explorer while maximized on a large 1440p monitor to be able to see as much data as possible. GIFs in this guide are meant for instructional purposes, strictly.

Download/Documentation

Download link: Eric Zimmerman’s GitHub

Documentation: In the Help menu within Timeline Explorer, there is a Quick Help guide which will lay out some shortcuts and tricks that Eric cooked into the tool.

Screenshots

Screenshot (Timeline Explorer – Blank)

Screenshot (Timeline Explorer – Lone Wolf 2018 Scenario – RECmd Batch Output)

Yes, there is a dark mode. Use it! Tools -> Skins to customize Timeline Explorer to your liking.

Updating EZ Tools

First and foremost, make sure you have the latest version of Timeline Explorer. Running a PowerShell script (Get-ZimmermanTools.ps1) will make sure you have all of the latest versions of the EZ Tools suite.