AboutDFIR.com – The Definitive Compendium Project
Digital Forensics & Incident Response

Table of Contents

Why Use Timeline Explorer?

Before we get into HOW to use Timeline Explorer, we need to understand WHY we should use Timeline Explorer in the first place. Thankfully, the guide below is designed to cover both the WHY and the HOW with visual aids and explanations! Timeline Explorer can serve as a perfect complement to any examiner who uses KAPE in the course of their examinations. CSV output from KAPE can be ingested into Timeline Explorer for analysis with ease.

Here are some features of Timeline Explorer that I personally feel help me be more effective in my everyday analysis:

  • Dark Mode
    • This is a personal preference but I’m huge into Dark Mode whenever available. There are more options besides Office 2019 Black (my preference) but having that option is appreciated.
  • Instant Filtering
    • Excel doesn’t populate results as you select options for your filter. Excel requires you to make your selections and then press OK before the results populate before you. It’s a nice to have feature for Timeline Explorer to filter in real time, as seen below.

    • Also, you can drag and select multiple consecutive items while filtering and hit the space bar to select the items all at once! I learned this on accident and decided to add a GIF for it here:

  • Context Menus in the Column Header
    • There are many options that you can utilize when right-clicking on a column header, including but not limited to: Sort Ascending/Descending, Best Fit (all columns)

  • Column Chooser
    • Too many columns? Want to just get rid of a few or see what ones aren’t visible?
    • Double Clicking on a column in the Column Chooser will restore it to its original position in the spreadsheet. You can also manually drag a column header into a position within the spreadsheet from the Column Chooser box.

  • Complex Filtering
    • It’s very easy to create complex filters and it’s even simpler to clear them. Watch the bottom left corner as I create multiple filter variables within Timeline Explorer to locate AKMonitor.exe (keylogger). I also demonstrate how you can clear a single element of your complex filter or the entire filter all at once. Another thing to watch with each step is the bottom right where Visible Lines changes with each filter I add.

    • If you want to do filtering on all .docx, .pptx, and .pdf files, for example, see the following demonstration and adjust to fit your use case. You can see below I sort on Value Data2 after I apply the filter so I can effectively sort on when these file types were last opened. NOTE: notice how the change from AND to OR affects the filter on the bottom if its applied and note that AND would result in no results. No entries include all three queries in the same line!

    • Alternatively, you can manually adjust the filter as seen below.

    • Another thing to highlight is the difference in options when you filter from the column header compared to when you filter in the Edit Filter menu.

    • One last thing to highlight in regards to filtering is you can have a complex filter in place and you can temporarily disable it by unchecking it below. This is helpful for when you find something evil and you want to temporarily disable the filter to see what else occurs before and after it when sorting on the timestamp column.

  • Tabbing
    • When I’m conducting analysis on an endpoint that I ran KAPE on, I typically take all relevant CSV output files and throw them into one instance of Timeline Explorer for that endpoint. I can easily distinguish the instance of Timeline Explorer as related to a given endpoint by viewing the file path in the bottom left hand corner since my output is often nested within an endpoint folder, i.e. C:\Users\Andrew\Desktop\2019 Lone Wolf Scenario\KAPE\HOSTNAME\mout\Registry\output.csv
    • In the below example, you can see me dragging and dropping all the files from the FileFolderAccess KAPE output folder. This includes output from JLECmd, LECmd, and SBECmd.

  • Tab Management
    • New in Version 1.1.0.0 – The search bar acts like a Contains search so if you’re looking for the MFT, like in the example below, see what results display as MFT is typed.

    • Tabs can also be closed one at a time with Ctrl+W or all at once with Ctrl+Q.

  • Timestamp Formatting
    • If you recall on the KAPE Guide, Excel requires a few housekeeping items to be completed before you can start your analysis. Timeline Explorer automatically places your timestamps in the yyyy-mm-ss hh:mm:ss format! How convenient!
    • If that timestamp format isn’t to your liking, you can change it in Tools -> Datetime Format.

    • Alternatively, you can adjust the Settings file for Timeline Explorer, which is located here: .\TimelineExplorer\Settings\TLE_settings.xml.

  • Search Options
    • Search Options allows you to modify the behavior of the search bar on the top right of Timeline Explorer.

  • Power Filtering
    • Under Search Options, you’ll see a blue “?”. Click that, and you’ll get this awesome mini-guide on how to conduct more powerful filtering on your data in Timeline Explorer. NOTE: this only applies to the top right search bar, NOT the column header filters.

  • Resetting Column Widths
    • Column sizes getting out of whack? Need a quick win to get them back to something manageable? Ctrl+R is your friend.

  • First Scrollable Column
    • You can organize the columns as you see fit to have the most important columns at the front of the table so they can be pinned as you scroll horizontally. This is basically like freezing a row in Excel, but a column instead. Below is an example of me enabling it once, demonstrating horizontal scroll, then changing my selection of the First Scrollable Column to include more columns.

  • Timeline Explorer is considerate of your cell position when removing an active filter.
    • This is particularly helpful when you find evil on a system and you want to see what else is around that particular artifact.
    • In the example below, I find the keylogger from the Lone Wolf 2018 Scenario and then I remove my filter so I can see what else is around that particular artifact.
    • Check the timestamp column so you can see what else happened on that system around that particular artifact.

  • Super Timelines from Plaso can be ingested with added color coding functionality
    • Super Timelines are covered in SANS FOR508 and can be generated using Plaso. Entries in your Super Timeline will be color coded as seen below through the Legend provided in the Help menu of Timeline Explorer.

  • Conditional Formatting
    • Color coding can exist outside of Super Timelines! Here’s the process on how to make a simple rule that will highlight any row containing a .exe file the color green.

    • Note that there are other ways to achieve this same result through the right click menu: Conditional Formatting -> Highlight Cell Rules -> Text That Contains…

  • Column Grouping
      • This is a very powerful way to filter and sort through your data. In the below sample, I group first by Event ID so I can see how many of each Event ID there is. Secondly, I group by Time Created so I can see how many Event ID’s are on which dates. This is a pretty benign sample but it illustrates how you can customize the filtering to cater to your needs.

    • Once you’re done with grouping, there are multiple ways to clear the grouping. You can either right-click on each element individually and select Ungroup, or you can right-click off to the side inside the grouping pane and select Clear Grouping. Either option will return the column(s) to their original position prior to being dragged into the grouping pane.

  • Copy Column Headers on Ctrl+C
    • I always appreciate options like this because it gives the examiner flexibility. It’s important to be aware of this since the first time you copy output from Timeline Explorer it may behave in a manner you aren’t used to if the Column Header is included and that is something you weren’t expecting.

  • New in 1.1.3.0, you can double click on the file path displayed in the bottom left of the window and it’ll copy the file path to clipboard.

  • When you hover over the file path, you’ll see this dialog box:

  • Save Session
    • If you have the entirety of you KAPE output for a single system opened in Timeline Explorer and you want to save that session, you can easily do that so the session will persist after a reboot.
    • File -> Save Session to save your session. File -> Open to restore your saved session.
    • Alternatively, Phill Moore from This Week in 4n6 created a PowerShell script to automate the creation of a session file that includes all the KAPE output. This will save you from having to manually drag each CSV into Timeline Explorer and then manually saving it into a saved session. You can find the script here!
  • Cost: free, but you should really consider buying Eric a couple beers a month for all the work he’s done
  • Catered to my needs as a digital forensic examiner whereas Excel is more general purpose
  • Timeline Explorer is read only except for the Tag column with certain supported file types.
      • Forensically sound, unlike Excel!
  • Can open nearly any CSV or Excel file
    • The only limitation is it will open the first workbook only. Others will be ignored.

There are some things I’d still use Excel for, and that’s okay! Namely:

  • Pivot Tables
    • I learned about the power of Pivot Tables from a coworker who is a Pivot Table Jedi Master. I typically use the power of Pivot Tables to easily view the earliest entry for each of the event logs so I know how far back my logs go for a specific system.