github.com/airbus-cert/timeliner

⏳📈 timeliner

A rewrite of mactime, an ancient Perl tool that has (almost) 0 feature.

Why another tool?

The mactime's capabilities to filter events based on the time are limited to only a date filter. timeliner uses a real expression engine to parse and apply the filtering logic. The following queries can be expressed using a BPF syntax:

• Show events that happened between 01:00am and 05:00am: hour >= 1 && hour < 5
• Show events that happened in c:\windows\system32: path =~ "system32"
• Show events that happened on Saturday or Sunday: weekday == 'Sunday' || weekday == 'Saturday'
• Show events that happened between 2018-12-01 and 2018-12-31: date >= '2018-12-31' && date <= '2018-12-01'
• Show events that happened between 01:00am and 05:00am on Sundays or Saturday between 2018-12-01 and 2018-12-31: (hour >= 1 && hour < 5) && (weekday == 'Sunday' || weekday == 'Saturday') && (date >= '2018-12-31' && date <= '2018-12-01)

You get the idea :)

The project is still ⍺ and 👶 and is missing a few must-have features, but the killer feature is its expression engine which is ready.

How to use it?

$ timeliner -h
Usage of timeliner:
	timeliner [options] MFT.txt

  -color
    	Enable color output
  -filter string
    	Event filter, like "hour > 14"
  -strict
    	Only show the entries maching the date restrictions

$ timeliner -filter 'hour >= 1 && hour < 5' MFT.txt
2006-10-10 02:15:35: \.\Users\xxx\AppData\Local\Temp\eo117895978tm
           02:16:07: \.\Users\xxx\AppData\Local\Temp\eo117895980tm
2007-05-24 03:24:43: \.\Users\xxx\AppData\Local\Temp\eo130872105tm
           03:24:43: \.\Users\xxx\AppData\Local\Temp\eo113046312tm
           03:24:43: \.\Users\xxx\AppData\Local\Temp\eo112784182tm
           03:24:43: \.\Users\xxx\AppData\Local\Temp\eo112063273tm

There is a -strict flag to limit the output to only the matching event. For example, for one file, its modification time could be in 2015 while the creation in 2013, if we filter events after 2015:

• without the strict mode, both events (in 2013 and 2015) would show up.
• with strict mode, only the 2015 event would be kept:

$ timeliner MFT.txt
2013-04-10 08:42:37: \.\Windows\System32\winevt\Logs\Setup.evtx
2015-02-16 15:58:27: \.\Windows\System32\winevt\Logs\Setup.evtx

$ timeliner -filter 'date > "2015-01-01"' MFT.txt
2013-04-10 08:42:37: \.\Windows\System32\winevt\Logs\Setup.evtx
2015-02-16 15:58:27: \.\Windows\System32\winevt\Logs\Setup.evtx

$ timeliner -strict -filter 'date > "2015-01-01"' MFT.txt
2015-02-16 15:58:27: \.\Windows\System32\winevt\Logs\Setup.evtx

What are the available keywords?

Keyword	Shortcut alias	Type	Description
weekday	w	string	Day of the week (Sunday, Monday, ...)
hour	h	integer	0..24
min	m	integer	0..60
date	d	string	ISO8601 date
path	p	string	Path

What operators are supported?

• Modifiers: + - / * & | ^ ** % >> <<
• Comparators: > >= < <= == != =~ !~
• Logical ops: || &&
• String constants (single quotes: 'foobar')
• Date constants (single quotes, using any permutation of RFC3339, ISO8601, ruby date, or unix date; date parsing is automatically tried with any string constant)
• Boolean constants: true false
• Parenthesis to control order of evaluation ( )
• Arrays (anything separated by , within parenthesis: (1, 2, 'foo'))
• Prefixes: ! - ~

Read the expression engine manual to learn new tricks!