Forensic Timeliner (timeliner.exe, or Timeliner) allows users to collect and export system timelines on Windows systems for forensic analysis. It is intended to retrospectively discover and display indicators of prior malware infection.
Use of Forensic Timeliner requires a subscription to one of the following:
- Incident Response
- Endpoint Protection
- Endpoint Detection and Response
Download and register Forensic Timeliner
- Log in to Nebula or OneView.
- On the left navigation menu, click Download Center.
- Select the Advanced tools tab.
- Scroll down to the Remediation (Unmanaged) section.
- Under Windows Breach Remediation, click Download.
- Extract the Breach_Remediation_4.x.x.x folder into the directory of your choice.
- Navigate to the subfolder \Windows\Forensic Timeliner to find the timeliner self-extracting executable.
- Right-click the program and run as administrator to extract the program and its dependencies.
- You now need to register Forensic Timeliner.
- Get your product license key.
- Nebula: Go to Download Center > Advanced tools and locate the License key at the bottom.
- OneView: Go to Manage > Sites, click a site, and locate the license key in the top-right.
- Manually copy the license or click the copy to Clipboard icon next to the license key.
- Open an elevated Command Prompt.
- Change the directory with the cd command to the location of the file from step 7.
- Run the following command to register the product:
timeliner register –key:YOURKEYHERE
- The program is now registered. Copy the entire Forensic Timeliner folder to your target machine. Below are examples on configuring custom settings and running a timeliner collection:
- Configure custom settings: timeliner settings -exclude.import:"%CD%\Doc\Samplefiles\ExclusionsExport.txt" -exclude.timeBefore:7d -exclude.installBefore:7d
- View the custom settings: timeliner settings
- Clear the settings: timeliner settings -resetAll
- Start timeliner collection: timeliner collect
- Once complete, a csv named forensic-log-hostname-date-time.csv will be located under the \Windows\Forensic Timeliner directory. Running a subsequent timeliner collection will generate a new log file, the prior csv reports are not overwritten.
For additional commands and switches, reference the Forensic Timeliner Administrator Guide.
The license key is considered active for 14 calendar days – unless a different time interval was specified at time of purchase. Each time the client is used on an endpoint, license status is checked. If your license deactivates (times out), you must re-register timeliner via step 14. This is to prevent unauthorized use of the client. There is no additional cost to re-register the client.