Skip to content

acquiredsecurity/shotliner

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

8 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

shotliner

image

Shotliner

Shotliner is a malware forensic timeline diffing tool. Inspired by Regshot, it compares a clean baseline forensic timeline against a post-infection timeline to identify newly introduced artifact activity. Ideal for malware triage, reverse engineering, and forensic investigations. Always take a snapshot of your clean VM! Take a baseline collection and process your raw forensic artifacts with the tools below. Once you have a baseline you shouldn;t have take one again if you always revert to a clean snapshot on your analysis VM.

Tools you should use for triage collection and data processing supported by ForensicTimeliner

  • Kape/EZ tools

  • Axiom

  • Chainsaw

  • Hayabusa

  • Run ForensicTimeliner on the output from your processing tools and create a forensic timeline. Now you have a baseline of your VM for comparison to your output post Malware Execution!

Execute your malware sample and let it run for the duration of your intended analysis and then take a second forensic artifact collection of the VM/Host. Rerun your variaition of EZ Tools, Axiom, Chainsaw, Hayabusa and then again run ForensicTimeliner.

Now you have TWO timelines one pre execution and one post execution. Use shotliner to run a dif between the two forensictimeliner outputs to more easily find malware based activities and elminate all the known behaviors from your timeline to quickly get to the bad!

.\shotliner.exe --Base C:\Users\admin0x\Desktop\shotliner\test\base\20250502_235216_ForensicTimeliner.csv --New C:\Users\admin0x\Desktop\shotliner\test\infected\20250502_235455_ForensicTimeliner.csv --Output diff.csv
Argument Description
--Base Path to the clean baseline timeline CSV
--New Path to the infected/post-event timeline CSV
--Output (Optional) Custom output path for diff CSV
--Help Displays this help menu

Features

  • Artifact Diffing: Compares two CSV timeline exports from ForensicTimeliner and highlights only newly introduced rows.
  • No Date-Based Filtering: Diffing is performed on key behavioral fields, not timestamps.
  • Modular Fields: Supports standard ForensicTimeliner output headers.
  • Portable & Lightweight: Single EXE, no dependencies.
  • CSV Output: Generates a timestamped diff CSV in standard timeline format.

Timeline Format

Shotliner expects timeline input files in the ForensicTimeliner format, which aggregates artifact data collected from:

DateTime,TimestampInfo,ArtifactName,Tool,Description,DataDetails,DataPath,FileExtension,EventId,User,Computer,FileSize,IPAddress,SourceAddress,DestinationAddress,SHA1,Count,EvidencePath

About

??????

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

 
 
 

Contributors

Languages