IRFlow-Timeline-Demo-small.mp4
A high-performance native macOS application for DFIR timeline analysis. Built on Electron + SQLite to handle millions of rows from CSV, TSV, XLSX, EVTX, Plaso, raw $MFT, and $J ($UsnJrnl) files without breaking a sweat.
Inspired by Eric Zimmerman's Timeline Explorer for Windows.
- Raw NTFS Artifact Import — Direct ingestion of
$MFTand$UsnJrnl($J) with full path reconstruction, SI/FN timestamps, and change reason mapping - Ransomware Analytics — Automated impact analysis from
$MFTdata: bulk rename detection, entropy-based extension analysis, ransom note identification, and temporal clustering - VirusTotal Enrichment — IOC matching with bulk VT lookups, malware family extraction, verdict badges, relationship pivoting, and local caching
- Process Inspector — Parent-child process tree analysis with 340+ MITRE ATT&CK detection rules
- Lateral Movement Tracker — Network logon and RDP session visualization as interactive force-directed graphs
- Persistence Analyzer — 30+ persistence techniques with account chain detection, cross-technique correlation, and PowerShell 4104 script block reassembly
- IOC Matching — 17+ indicator categories with auto-defanging, inline highlighting, CSV/HTML export with VT enrichment data
For the full feature list and documentation, visit the IRFlow Timeline Docs.
Prerequisites (for developers only):
- Node.js 18+:
brew install node - Xcode CLI tools:
xcode-select --install(for native module compilation) - macOS 11+ (Big Sur or later)
git clone https://github.com/r3nzsec/irflow-timeline.git
cd irflow-timeline
npm install
npx electron-rebuild -f -w better-sqlite3
# Development (hot-reload)
npm run dev
# Build + launch
npm run start
# Package as universal DMG
npm run dist:universalOutput in release/.
Inspired by Eric Zimmerman's Timeline Explorer.
| Project | Usage | Link |
|---|---|---|
| Electron | Application framework | electron/electron |
| better-sqlite3 | High-performance SQLite engine with WAL mode, FTS5 | WiseLibs/better-sqlite3 |
| @ts-evtx/core | Native Windows EVTX event log parsing | NickSmet/ts-evtx |
| Plaso (log2timeline) | Forensic timeline generation (we import Plaso SQLite output) | log2timeline/plaso |
| ExcelJS | XLSX streaming reader | exceljs/exceljs |
| SheetJS (xlsx) | XLSX parsing | SheetJS/sheetjs |
| csv-parser | CSV/TSV streaming parser | mafintosh/csv-parser |
| React | UI rendering | facebook/react |
| Vite | Build tooling and hot-reload | vitejs/vite |
| VitePress | Documentation site | vuejs/vitepress |
| electron-builder | macOS DMG packaging | electron-userland/electron-builder |
- Eric Zimmerman -- Timeline Explorer for Windows, the original inspiration for this project
- log2timeline/Plaso -- Super timeline generation framework by Kristinn Gudjonsson and contributors
- SANS DFIR -- DFIR training and community resources
- The DFIR Report -- Real-world intrusion analysis reports that informed threat detection patterns
- CyberCX -- NTFS $UsnJrnl research that informed $J parsing implementation
Thanks to the following people for testing and providing feedback:
Apache-2.0