IRFlow Timeline

Blazing Fast

Phase-tuned SQLite engine with 1GB import cache, adaptive 100K-row batches, and background async indexing. Sub-100ms filtered queries on 10M+ rows. Handles 30GB+ files without breaking a sweat.

5 Search Modes

Mixed, OR, AND, Exact, and Regex modes. Find exactly what you need across massive timelines with full-text search, boolean operators, and pattern matching.

Process Inspector

GUID-preferred process hierarchy from Sysmon (EventID 1) and Windows Security (4688) logs with 4-tier threat scoring — critical for direct malware indicators, high for likely malicious activity, medium for suspicious patterns needing context, low for informational.

Lateral Movement Tracker

Interactive network graph with multi-hop chain reconstruction, RDP session correlation, and automated attack pattern detection — brute force, password spray, credential compromise, Impacket tool detection (5 variants), and RMM tool scanning (30 tools). MITRE ATT&CK mapped findings with one-click filtering.

Persistence Analyzer

Automated detection of 30+ persistence techniques with risk scoring. Scans EVTX logs and registry exports for services, scheduled tasks, WMI subscriptions, autorun keys, and more.

Rich Analytics

Heatmap histogram with brush-to-filter, session and gap detection with auto-tagging, median-baseline burst anomaly detection with sparkline charts, Gantt-style log source coverage maps, and value frequency stacking.

IOC Matching

Scan timelines against threat intel IOC lists with 17+ indicator types (hashes, IPs, domains, registry keys, named pipes, mutexes). Auto-defanging, per-IOC tagging, and inline grid highlighting.

Investigation Workflow

Bookmarks, color-coded tags, conditional formatting with KAPE-aware presets, and full session save/restore.

What is IRFlow Timeline?

IRFlow Timeline is a native macOS application purpose-built for digital forensics and incident response (DFIR) investigators. Inspired by Eric Zimmerman's Timeline Explorer for Windows, it brings high-performance timeline analysis to macOS with a modern interface and advanced analytics.

Supported Formats

Format	Extensions	Description
CSV/TSV	`.csv`, `.tsv`, `.txt`, `.log`	Auto-detects delimiters (comma, tab, pipe)
Excel	`.xlsx`, `.xls`, `.xlsm`	Streaming reader (XLSX) + legacy binary parser (XLS) with sheet selection
EVTX	`.evtx`	Windows Event Log binary format
Plaso	`.plaso`	Forensic timeline database

Format

Extensions

Description

CSV/TSV

.csv, .tsv, .txt, .log

Auto-detects delimiters (comma, tab, pipe)

Excel

.xlsx, .xls, .xlsm

Streaming reader (XLSX) + legacy binary parser (XLS) with sheet selection

EVTX

.evtx

Windows Event Log binary format

Plaso

.plaso

Forensic timeline database

Built for Scale

IRFlow Timeline uses a SQLite-backed architecture with streaming import, lazy indexing, and virtual scrolling to deliver responsive performance even on the largest forensic timelines. Handle large CSV files (tested with 30GB+), search across millions of rows, and visualize your timeline — all without freezing.

KAPE-Ready

Automatic detection and pre-configuration for 15+ KAPE tool output formats including MFTECmd, EvtxECmd, Hayabusa, Chainsaw, AmcacheParser, and more. Open your KAPE output and start analyzing immediately with optimized column layouts and color rules.

IRFlow TimelineDFIR Timeline Analysis