What's New in v1.0.5

Bug Fixes

• Plaso import crash fixed — All Plaso/log2timeline .plaso and .timeline files now import correctly. A malformed LIMIT clause in the column discovery query caused a SQLite error on every Plaso file.
• Intel Mac crash fixed — better-sqlite3 is now compiled as a universal fat binary (x86_64 + arm64) so the app no longer crashes on Intel MacBook Pros when opening any file.

Context Menu Improvements

• Filter in / Filter out — Right-click any cell to instantly filter the grid to rows matching that value, or exclude rows with that value. Also available via ⌘+Click for a focused filter/column menu.
• Tags collapsed into submenu — Tags no longer expand inline; hover over Tags ▸ to reveal the tag list, keeping the context menu compact.
• Multi-row tagging — Select multiple rows (checkboxes), right-click, and apply a tag to all selected rows at once. The menu shows the count, e.g. "Tags (4 rows)".
• Context menu background fixed — Menus are now fully opaque so grid content no longer bleeds through the background.

Copy Behaviour Fix

• ⌘C now respects text selection — When text is selected in the detail panel, ⌘C copies the selected text instead of intercepting it and copying the whole row.

Version

• About dialog and package updated to 1.0.5.

What's New in v1.0.4

Cell Context Menu — Filter in / Filter out

• Right-click any cell to access new Filter in and Filter out options directly from the context menu. "Filter in" shows only rows matching that cell value; "Filter out" excludes them.
• Cmd+Click (Ctrl+Click) any cell opens a quick-action menu with Filter in, Filter out, and Hide column.

Multi-Row Tagging

• Select multiple rows via checkboxes, then right-click and apply a tag — it now applies to all selected rows at once. The menu shows the count (e.g., "Tags (4 rows)").

Redesigned Context Menu

• Row right-click menu upgraded to native macOS blur/glass style matching the column header menu.
• Tags collapsed into a hover submenu to keep the menu compact.

Improved Copy Behavior

• Cmd+C now respects text selection — if you have text selected in the detail panel, it copies the selected text instead of the entire row.

.timeline File Support

• .timeline files are now auto-detected: parsed as Plaso if valid, otherwise imported as CSV.
• File open dialog updated to include .timeline alongside .plaso.

Crash Fix — Large File Import

• Fixed V8 heap out-of-memory crash when importing large files. The 16GB heap limit now correctly applies to the main process where parsing runs.

Search Stability Fix

• Fixed a crash (Cannot read properties of undefined) that could occur when searching certain terms.

What's New in v1.0.3

Raw NTFS Artifact Import

• $MFT — Direct import of raw Master File Table with full path reconstruction from parent references, SI/FN dual timestamp extraction, and attribute flag parsing
• $J ($UsnJrnl) — Raw USN Change Journal import with change reason mapping (rename, delete, data extend, security change), MFT parent correlation, and full path resolution

Ransomware Analytics

• Automated ransomware impact analysis from $MFT data — detects rapid bulk file renames, high-entropy extension changes, ransom note drops, and temporal clustering of destructive operations
• Severity-scored analytics card for quick incident scoping

VirusTotal Integration

• Bulk VT API lookups from IOC matching with rate limiting and local caching
• Malware family name extraction and verdict badges (malicious/suspicious/clean) displayed inline in the grid
• Per-IOC retry for failed lookups and bulk "Retry Failed" button
• URL enrichment support (defanged URLs auto-restored)
• Relationship pivoting on malicious IOCs — contacted domains, communicating files, DNS resolutions
• VT enrichment included in CSV export and HTML reports (scores, verdicts, threat labels, timestamps)
• Clear VT Cache button in settings

Persistence Detection Expansion

• 30+ persistence techniques with expanded coverage: Credential Providers, Silent Process Exit monitors, Network Providers, and more
• Account persistence chain detection (creation → privilege escalation → group addition → password reset)
• Cross-technique correlation (account event → persistence mechanism by same user/host within 60 min)
• PowerShell 4104 script block fragment reassembly with persistence pattern matching

Bug Fixes & Improvements

• Fixed SQL UNION ALL LIMIT syntax error on import
• Fixed VT filter case sensitivity (COLLATE NOCASE)
• Fixed CSV export dropping falsy VT scores (0/0)
• Fixed event listener leak on IOC modal close
• Composite tags index for VT sort/filter performance
• Updated Quick Help and About dialog with all new features

Build & Distribution

• Auto-updater support
• macOS notarization and electron-builder configuration
• GitHub Actions release workflow

Automated macOS release for v1.0.3.

IRFlow Timeline v1.0.2 Beta

DFIR Timeline Analysis for macOS (Intel & Apple Silicon)

Download

• IRFlow Timeline-1.0.2-beta-universal.dmg — Universal binary, works on both Intel and Apple Silicon Macs

Installation

1. Download the DMG
2. Open it and drag IRFlow Timeline to Applications
3. On first launch: right-click the app > Open > Open (or System Settings > Privacy & Security > Open Anyway)

Features

Data Ingestion

• Multi-format support — CSV, TSV, XLSX, EVTX (up to 3GB), Plaso JSON/JSONL
• SQLite-backed — WAL mode with 500MB cache, handles millions of rows
• Multi-tab parallel import — drag multiple files for concurrent import

Search & Filter

• Full-text search — FTS-indexed with regex, contains, exact, starts/ends with
• Cross-tab search — search across all open tabs
• Advanced Edit Filter — multi-condition builder with AND/OR logic, 11 operators

Analysis

• Timeline histogram — per-day event chart with click-drag time selection
• IOC Matching — paste IPs, domains, hashes, URLs and match against data
• Gap Analysis — detect quiet periods and activity sessions
• Log Source Coverage — heatmap of source activity over time
• Burst Detection — anomaly detection in event frequency
• Stack Values — frequency analysis per column

Lateral Movement Analyzer

• Impacket Remote Execution Detection (T1569.002) — Detects psexec.py, smbexec.py, wmiexec.py, dcomexec.py, atexec.py via 10 signature patterns
• RMM Tool Detection (T1219) — Scans for 30 commonly abused remote access tools
• Brute Force / Password Spray Detection — T1110.001 / T1110.003
• Credential Compromise & Lateral Pivot — T1078 / T1021

Process Inspector

• Sysmon Process Tree — Build parent-child process trees from Sysmon Event ID 1

Workflow

• Bookmarks & Tags — flag rows, color-coded tags, bulk tag by time range
• Filter Presets — save/load named filter configurations
• Session save/restore — persist full workspace state to .tle files
• HTML report generation — summary with bookmarks, tags, and stats
• Dark/Light theme — Unit 42 inspired palette
• Keyboard shortcuts — ⌘O, ⌘F, ⌘B, ⌘E, ⌘S, ⌘W, ⌘+/−