Native macOS forensic timeline analysis. Import, search, and investigate EVTX, CSV, XLSX, and Plaso timelines with the analytics DFIR professionals actually need.
SQLite engine with sub-100ms queries on 10M+ rows. Streams 30GB+ files with zero-copy CSV parsing, memory-capped background indexing, and single-query analytics — no loading into memory.
Mixed, FTS, LIKE, Fuzzy, and Regex. Full-text search, substring matching, typo-tolerant fuzzy, and pattern matching across millions of rows.
Reconstruct process trees from Sysmon and Security logs with 4-tier threat scoring, 342 chain rules + 13 standalone patterns mapped to MITRE ATT&CK.
Network graph with multi-hop chain reconstruction and RDP session correlation. Detects brute force, password spray, Impacket, 33 RMM tools, and 7 network tunnels.
Automated detection of 30+ persistence techniques with risk scoring across services, scheduled tasks, WMI subscriptions, and autorun keys.
Histogram with brush-to-filter, gap and burst detection, log source coverage maps, and value frequency stacking.
Scan against threat intel lists with 17+ indicator types — hashes, IPs, domains, registry keys, named pipes, and more. Auto-defangs and tags matches inline.
Bookmarks, color-coded tags, conditional formatting with KAPE-aware presets, and full session save/restore.
$MFT and $J files: ransomware scanning, timestomping detection, file activity heatmaps, ADS analysis, USN Journal forensics with UsnJrnl Rewind path reconstruction (11 categories), and resident data extraction for recovering deleted threat actor artifactsIRFlow Timeline is a native macOS application purpose-built for digital forensics and incident response (DFIR) investigators. Inspired by Eric Zimmerman's Timeline Explorer for Windows, it brings high-performance timeline analysis to macOS with a modern interface and advanced analytics.
If you've hit Excel's 1M-row limit on a super-timeline, or you're tired of spinning up a Windows VM just to run Timeline Explorer — this is the tool that replaces both.
| Format | Extensions | Description |
|---|---|---|
| CSV/TSV | .csv, .tsv, .txt, .log | Auto-detects delimiters (comma, tab, pipe) |
| Excel | .xlsx, .xls, .xlsm | Streaming reader (XLSX) + legacy binary parser (XLS) with sheet selection |
| EVTX | .evtx | Windows Event Log binary format |
| Plaso | .plaso, .timeline | Forensic timeline database (.timeline auto-detects; falls back to CSV) |
| Raw $MFT | .mft | NTFS Master File Table — direct import for NTFS analysis tools |
| Raw $J | .$J, .usn | NTFS USN Journal (change journal) |
IRFlow Timeline uses a SQLite-backed architecture with streaming import, lazy indexing, and virtual scrolling to deliver responsive performance even on the largest forensic timelines. Handle large CSV files (tested with 30GB+), search across millions of rows, and visualize your timeline — all without freezing. Concurrent index builds are memory-capped, analytics queries are optimized to avoid redundant table scans, and all long-running operations are crash-safe with graceful recovery.
Automatic detection and pre-configuration for 24 KAPE tool output formats including MFTECmd, EvtxECmd, Hayabusa, Chainsaw, AmcacheParser, PECmd, RECmd, SBECmd, and more. Open your KAPE output and start analyzing immediately with optimized column layouts and color rules.