Forensic-timeliner: A Windows Forensics Tool for DFIR Investigators

Forensic-Timeliner is a fast, open-source command-line tool designed to help digital forensics and incident response (DFIR) teams quickly build a unified timeline of Windows artifacts.

By automatically collecting, filtering, and merging CSV output from popular triage tools, it creates a mini timeline that is ready for analysis in tools like Timeline Explorer or Excel, as reported by Security Researchers.

Key Features

Unified Timeline Creation – Forensic-Timeliner scans a base directory for CSV files from tools such as EZ Tools, Kape, Axiom, Chainsaw, Hayabusa, and Nirsoft. It merges data from Amcache, Event Logs, MFT, Prefetch, JumpLists, shellbags, browser histories, and more into a single timeline.

Automatic CSV Discovery – The tool discovers CSV files based on folder names, file names, or column headers. Default YAML settings handle most common tool outputs, so minimal configuration is needed.

Date Filtering and Deduplication – Investigators can specify start and end dates to include only ...