Forensic Timeliner (timeliner.exe, or "Timeliner") is a standalone tool, used to generate and display forensic system timelines on Windows systems. It is written in C++ using the Windows API, and is packaged as a single portable Windows executable (EXE) that runs on all modern versions of Windows (XP through Windows 10 clients, 32/64-bit, Servers 2003 (32-bit only) through 2012 (32/64-bit), and has no dependencies other than standard Windows DLLs. Timeliner must be run either as SYSTEM or as a local administrator on the machine.
Timeliner is intended to be used to retrospectively discover and display indicators of prior malware infection, notably the malware’s source (when was the malware first created/downloaded/encountered, and where did it come from) and the malware’s effects (what other files or artifacts did the malware create, delete, or modify). Timeliner's data sources are chosen to help answer these specific questions. For example, the browser history data sources might indicate where on the Internet some malware was downloaded from, and the USN Journal data source might indicate what files the malware might have dropped on the system when executed.