AutoTimeliner: automatically extract forensic timeline from memory dumps

Often, during an incident response, may be necessary to analyze a lot of evidences, like disk and memory dumps.

In my workflow, one of the first step is the creation of a timeline extracted from the volatile memory dump.

For this process, i’ve developed a simple python script that automatically performs the timeline creation on multiple memory images.

The tool, named AutoTimeline, is developed in Python3, reusing some code from Malhunt.

AutoTimeline automates a workflow similar to that I described in this article:

  1. Identify correct volatility profile for the memory image.
  2. Runs the timeliner plugin against volatile memory dump using volatility
  3. Runs the mftparser volatility plugin, in order to extract $MFT from memory and generate a bodyfile
  4. Runs the shellbags volatility plugin in order to generate a bodyfile of the user activity. (suggested by Matteo Cantoni)
  5. Merges the timeliner, mftparser and shellbags output files into a single bodyfile
  6. Sorts and filters the bodyfile using mactime and exports data as CSV.

The tool allows the use of wildcards, in order to start the process (for example) on an entire directory containing a set of memory dumps.


Requirements


Installation

Simply clone the GitHub repository:

git clone https://github.com/andreafortuna/autotimeliner.git

Usage

autotimeline.py [-h] -f IMAGEFILE [-t TIMEFRAME] [-p CUSTOMPROFILE]

optional arguments:
  -h, --help            show this help message and exit
  -f IMAGEFILE, --imagefile IMAGEFILE
                        Memory dump file
  -t TIMEFRAME, --timeframe TIMEFRAME
                        Timeframe used to filter the timeline (YYYY-MM-DD
                        ..YYYY-MM-DD)
  -p CUSTOMPROFILE, --customprofile CUSTOMPROFILE
                        Jump image identifcation and use a custom memory
                        profile
Examples

Extract timeline from TargetServerMemory.raw, limited to a timeframe from 2018-10-17 to 2018-10-21:

./autotimeline.py -f TargetServerMemory.raw -t 2018-10-17..2018-10-21

Extract timeline from all images in current directory, limited to a timeframe from 2018-10-17 to 2018-10-21:

./autotimeline.py -f ./*.raw -t 2018-10-17..2018-10-21

Extract timeline from TargetServerMemory.raw, using a custom memory profile:

./autotimeline.py -f TargetServerMemory.raw -p Win2008R2SP1x64

All timelines will be saved as $ORIGINALFILENAME-timeline.csv.


Download and further readings

3 Replies to “AutoTimeliner: automatically extract forensic timeline from memory dumps”

  1. Hi Andreia, which open-source tool you would suggest to do automated remote memory dump acquisition? I’m looking for something stable (not causing BSOD) with command line options to run via powershell/psexec and support of Windows client/server OS starting W7/W2k8.

    1. Hi Timur,
      i’m currently working an a tool that allows automatic memory acquisition and verification.
      The script uses (form memory acquisition) both Comae DumpIT (https://blog.comae.io/your-favorite-memory-toolkit-is-back-f97072d33d5c) and Winpmem from Rekall framework (https://github.com/google/rekall). Both can be launched from command line (also remotely), but Dumpit is not opensource, so i suggest you the last release of winpmem.

Comments

This site uses Akismet to reduce spam. Learn how your comment data is processed.