Malwarebytes Forensic Timeliner Administrator Guide

File uploaded by jyamada Employee on Jun 14, 2017Last modified by jyamada Employee on Jul 18, 2019
Version 5Show Document
  • View in full screen mode

Malwarebytes Forensic Timeliner (timeliner.exe, or "Timeliner") is a standalone tool, used to generate and display forensic system timelines on Windows systems. It is written in C++ using the Windows API, and is packaged as a single portable Windows executable (EXE) that runs on all modern versions of Windows (XP through Windows 10 clients, 32/64-bit, Servers 2003 (32-bit only) through 2012 (32/64-bit), and has no dependencies other than standard Windows DLLs. Timeliner must be run either as SYSTEM or as a local administrator on the machine.


Timeliner is intended to be used to retrospectively discover and display indicators of prior malware infection, notably the malware’s source (when was the malware first created/downloaded/encountered, and where did it come from) and the malware’s effects (what other files or artifacts did the malware create, delete, or modify). Timeliner's data sources are chosen to help answer these specific questions. For example, the browser history data sources might indicate where on the Internet some malware was downloaded from, and the USN Journal data source might indicate what files the malware might have dropped on the system when executed.