Plaso (log2timeline)
Plaso (log2timeline) Plaso is the artifact aggregator that fuses logs from disparate sources into a unified super-timeline, parsing events from syslogs to browser caches for a chronological view of incidents. Run it on your forensic image via CLI to generate PSORT files, then query with filters for key moments like logon spikes or file accesses. Open-source and event-dense, it's the master chronologist for solo examiners weaving narratives from digital breadcrumbs.
Explore →Timesketch
Timesketch Timesketch is the collaborative sketchpad for timelines, ingesting Plaso outputs or raw logs to build interactive sketches with annotations and search for collaborative IR storytelling. Load your timeline data via web UI, zoom into clusters of events, and export sketches for reports with ease. Open-source from Google, it's the visual virtuoso for individuals sharing incident insights without losing the plot.
Explore →Super Timeline (Sleuth Kit)
Super Timeline (Sleuth Kit) Super Timeline from Sleuth Kit is the file system chronographer that sorts MAC times across directories into a body file for spotting creation patterns or anti-forensic tweaks in disk images. Use fls to extract, then sort for a unified view of file activity, scripting chains for automated ingestion. Open-source and timeline-pure, it's the meticulous mapper for disk forensics pros reconstructing user actions from metadata.
Explore →Autopsy Timeline
Autopsy Timeline Autopsy Timeline is the GUI timeline builder that aggregates file events, logs, and artifacts into filterable views, highlighting anomalies like recent mods in a graphical calendar. Ingest your case data, apply keywords or time ranges, and drill down with linked evidence for narrative flow. Open-source and integrated, it's the accessible artist for examiners painting incident pictures from forensic canvases.
Explore →RegRipper
RegRipper RegRipper is the registry timeline extractor that parses Windows hives for event timelines, from USB history to recent docs, outputting chronological reports for user activity reconstruction. Run it on extracted hives via Perl scripts, filtering plugins for targeted hunts like LSA secrets. Open-source and registry-focused, it's the hive historian for analysts chronicling behaviors from NTUSER keys.
Explore →Velociraptor Timeline
Velociraptor Timeline Velociraptor's Timeline module crafts event streams from VQL hunts, blending logs and artifacts into searchable timelines for endpoint IR with artifact correlations. Query live or offline for custom views, exporting to notebooks for shareable chronologies. Open-source and query-driven, it's the dynamic drafter for responders sketching threats across distributed logs.
Explore →GRR Timeline Flows
GRR Timeline Flows GRR's Timeline Flows collect and sort log events from agents into client-side timelines, enabling remote reconstruction of incidents with flow-based automation for scaled hunts. Trigger flows on targets for event pulls, then analyze in the console for patterns like log deletions. Open-source from Google, it's the fleet chronographer for investigators syncing timelines from afar.
Explore →LogParser (Microsoft)
LogParser LogParser is the SQL-like query engine for Windows logs, transforming event viewer XML into timelines with joins across sources for custom incident queries. Install the tool and script against .evtx files for filtered chronologies, outputting to CSV for Excel viz. Free from Microsoft, it's the relational relator for Windows admins turning log sprawl into structured stories.
Explore →Chronicle (Google Cloud)
Chronicle Chronicle is the cloud-native SIEM that auto-generates entity timelines from ingested logs, linking users and hosts in YARA-L hunts for behavioral anomaly detection. Feed it your logs via API for retroactive queries, visualizing paths in detective views. Paid but with free tier, it's the AI-assisted archivist for individuals scaling log timelines to enterprise depths.
Explore →Moloch