andreafortuna/autotimeliner andreafortuna/autotimeliner

  • Stars
    star
    117
  • Rank 290,992 (Top 6 %)
  • Language
    Python
  • License
    MIT License
  • Created over 5 years ago
  • Updated about 1 year ago
Twitter logo Share LinkedIn logo Share Facebook logo Share
andreafortuna/autotimeliner
github

andreafortuna

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Automagically extract forensic timeline from volatile memory dump

AutoTimeliner

Autotimeliner

Automagically extract forensic timeline from volatile memory dumps.

Requirements

  • Python 3
  • Volatility
  • mactime (from SleuthKit)

(Developed and tested on Debian 9.6 with Volatility 2.6-1 and sleuthkit 4.4.0-5)

How it works

AutoTimeline automates this workflow:

  • Identify correct volatility profile for the memory image.
  • Runs the timeliner plugin against volatile memory dump using volatility.
  • Runs the mftparser volatility plugin, in order to extract $MFT from memory and generate a bodyfile.
  • Runs the shellbags volatility plugin in order to generate a bodyfile of the user activity. (suggested by Matteo Cantoni).
  • Merges the timeliner, mftparser and shellbags output files into a single bodyfile.
  • Sorts and filters the bodyfile using mactime and exports data as CSV.

Installation

Simply clone the GitHub repository:

git clone https://github.com/andreafortuna/autotimeliner.git

Usage

autotimeline.py [-h] -f IMAGEFILE [-t TIMEFRAME] [-p CUSTOMPROFILE]

optional arguments:
  -h, --help            show this help message and exit
  -f IMAGEFILE, --imagefile IMAGEFILE
                        Memory dump file
  -t TIMEFRAME, --timeframe TIMEFRAME
                        Timeframe used to filter the timeline (YYYY-MM-DD
                        ..YYYY-MM-DD)
  -p CUSTOMPROFILE, --customprofile CUSTOMPROFILE
                        Jump image identification and use a custom memory
                        profile

Examples

Extract timeline from TargetServerMemory.raw, limited to a timeframe from 2018-10-17 to 2018-10-21:

./autotimeline.py -f TargetServerMemory.raw -t 2018-10-17..2018-10-21

Extract timeline from all images in current directory, limited to a timeframe from 2018-10-17 to 2018-10-21:

./autotimeline.py -f ./*.raw -t 2018-10-17..2018-10-21

Extract timeline from TargetServerMemory.raw, using a custom memory profile:

./autotimeline.py -f TargetServerMemory.raw -p Win2008R2SP1x64

All timelines will be saved as $ORIGINALFILENAME-timeline.csv.

TODO

  • Better image identification
  • Better error trapping

More Repositories

1

VBAIPFunctions

IP manipulation and lookup VBA functions
VBA
64
star
2

malhunt

Hunt malware with Volatility
Python
41
star
3

YATTRSSC

yet Another Tiny Tiny RSS Client
JavaScript
16
star
4

Microspia-Android-Tap

Simple spy app for Android
Java
11
star
5

pycodeinjector

Python code injection library
Python
9
star
6

MITMInjector

Simple MITM proxy with injection features.
Python
8
star
7

FFANS

Fuckin' Fast Network Scanner
C#
4
star
8

niles-tg-bot-nodejs

Simple NodeJs telegram bot template, designed to run on PaaS (currently only on Heroku)
JavaScript
2
star
9

RaiPlayDL

RaiPlay Podcast Downloader
Python
2
star
10

PSNTServicesUtils

Simple Powershell module for NT Services manipulation via WMI
PowerShell
2
star
11

OSUProject

Open Source Ukulele Project
2
star
12

pyscho

pySchö - Python Schönberg: Algorithmic music composition
Python
1
star
13

andreafortuna.github.com

Andy's Blog
HTML
1
star
14

DomainStalker

Python script to perform subdomain enumeration using google, bing, yahoo and virusTotal.com, providing record resolution and http/https response codes.
Python
1
star
15

FirefoxPrivacyEnhancements

Customized user.js with privacy enhancements for Mozilla Firefox
JavaScript
1
star