logo

Timeline Explorer

Using Timeline Explorer, Registry Explorer, RECmd, and EvtxECmd to analyze Windows artifacts and event logs.

Analyzing Windows Artifacts

A step-by-step guide to parsing, extracting, and analyzing Windows Registry hives, event logs, and autorun files using Eric Zimmerman's forensic tools and Sysinternals utilities.

Quick Navigation

  • 1

    Export Autoruns to CSV

    First, create a temporary directory and execute autorunsc (the command line version of Sysinternals Autoruns) with the -c switch to export all autoruns information in CSV format.

    mkdir c:\tmp
autorunsc -c > c:\tmp\autorun.csv
  • 2

    Load CSV in Timeline Explorer

    Launch Timeline Explorer simply by running its name in the command prompt, then open the newly created CSV file (c:\tmp\autorun.csv).

    timelineexplorer
    Open CSV file in Timeline Explorer
  • 3

    Search for "shell"

    Use the search filter inside Timeline Explorer to look for references to shell, which can highlight command line shells, powershell executions, or persistence mechanisms.

    Look for shell in Timeline Explorer
  • 4

    Scan User Profiles with Sigcheck

    To further investigate potential persistence or unauthorized binaries, run sigcheck to scan the C:\Users folder recursively. The flags check for unsigned (-u) executable files (-e) across all subdirectories (-s).

    sigcheck -u -e -s c:\users
    Scan with Sigcheck
  • 5

    Launch Registry Explorer

    Navigate to Registry Explorer directory at C:\Tools\EricZimmerman\RegistryExplorer and open the application.

    Launch Registry Explorer
  • 6

    Load the SOFTWARE Registry Hive

    Go to the top menu and select File > Load hive. Load the SOFTWARE hive file from the Windows directory.

    Load hive in Registry Explorer
  • 7

    Inspect Windows Run Keys

    Navigate to the key path: CMI-CreateHive... \ Microsoft \ Windows \ CurrentVersion \ Run. Here we can audit the active startup entries configured to run automatically on Windows boot.

    Inspect Windows Run Keys
  • 8

    Parse Hives with RECmd Batch

    Execute RECmd (Registry Explorer Command Line) to parse the registry hive using the SoftwareASEPs.reb batch rules, and output the findings as a CSV file to the C:\tmp directory.

    C:\Tools\EricZimmerman\RECmd\RECmd.exe --bn BatchExamples\SoftwareASEPs.reb -f "C:\Evidence\Kape Collection\C\Windows\System32\config\SOFTWARE" --csv C:\tmp

    Open Timeline Explorer, navigate to the C:\tmp folder, and load the newly generated batch CSV file (named starting with Batch...).

    Open RECmd Batch output in Timeline Explorer
  • 9

    Parse Event Logs with EvtxECmd

    Run EvtxECmd (Event Log Explorer Command Line) to parse the Windows System.evtx log file and export the parsed events into a CSV file named system.csv inside the C:\tmp directory.

    C:\Tools\EricZimmerman\RECmd\EvtxECmd.exe -f C:\Windows\System32\winevt\Logs\System.evtx --csv C:\tmp --csvf system.csv

    Open Timeline Explorer and load the generated system.csv file to inspect the Windows Event Log records in a tabular interface.

    Inspect Event Logs in Timeline Explorer