WindowsTimeline

89

DFIR Tools

License Type
Free
Forensic Utilities - Windows
Timeline
Works with any ActivitiesCache.db (Windows 1703/1709/1803/1809/1903/1909/2004 ..)
- Decodes Clipboard Text
- Matches dB device information with data from the registry (HKCU or NTuser.dat)
- Shows all the important information from JSON blobs ..
- Optionally exports output to "|" delimited .csv in a timestamped folder in the form of "WindowsTimeline_dd-MMM-yyyyTHH-mm-ss".

Parses:
 - Standalone ActivitiesCache.db
 - CurrentUser's selected ActivitiesCache.db with matching registry (HKCU) device entries
 - Standalone ActivitiesCache.db with offline NTUser.dat device entries

User comments

There are no user comments for this listing.
Already have an account? or Create an account