Native macOS forensic timeline analysis. Import, search, and investigate EVTX, CSV, XLSX, Plaso, $MFT, $J, and local AI assistant artifacts — with AI Secret Hunt and the analytics DFIR professionals actually need.
SQLite engine with sub-100ms queries on 10M+ rows. Streams 30GB+ files with zero-copy CSV parsing, memory-capped background indexing, and single-query analytics — no loading into memory.
Scan local AI history from ChatGPT Desktop, Claude Code, Codex, Cursor, Copilot, Gemini CLI, Windsurf, and Continue. Preserve prompts, responses, tool calls, workspaces, and secret exposure evidence.
Mixed, FTS, LIKE, Fuzzy, and Regex. Full-text search, substring matching, typo-tolerant fuzzy, and pattern matching across millions of rows.
Dual-engine Sigma scanning — bundled Hayabusa over raw EVTX plus an in-app JS engine for imported timelines, with MITRE ATT&CK-mapped triage, custom rules, and persistent scan history.
Reconstruct process trees from Sysmon and Security logs with 4-tier threat scoring, 342 chain rules + 13 standalone patterns mapped to MITRE ATT&CK.
Network graph with multi-hop chain reconstruction and RDP session correlation. Detects brute force, password spray, Impacket, 33 RMM tools, and 7 network tunnels.
36 EVTX + 33 registry persistence rules with risk scoring across services, scheduled tasks, WMI subscriptions, and autorun keys.
Histogram with brush-to-filter, gap and burst detection, log source coverage maps, and value frequency stacking.
Scan against threat intel lists with 17+ indicator types — hashes, IPs, domains, registry keys, named pipes, and more. Auto-defangs and tags matches inline.
Bookmarks, color-coded tags, conditional formatting with KAPE-aware presets, and full session save/restore.
Native macOS timeline analysis for DFIR — EVTX, KAPE super-timelines, and local AI artifacts in one app. Timeline Explorer–style workflow on Mac, plus built-in detection analytics and AI Secret Hunt.
Excel row limits, Windows VM overhead, or missing AI evidence — IRFlow is the macOS alternative to Timeline Explorer.
| Format | Extensions | Description |
|---|---|---|
| CSV/TSV | .csv, .tsv, .txt, .log | Auto-detects delimiters (comma, tab, pipe) |
| Excel | .xlsx, .xls, .xlsm | Streaming reader (XLSX) + legacy binary parser (XLS) with sheet selection |
| EVTX | .evtx | Windows Event Log binary format |
| Plaso | .plaso, .timeline | Forensic timeline database (.timeline auto-detects; falls back to CSV) |
| Raw $MFT | .mft | NTFS Master File Table — direct import for NTFS analysis tools |
| Raw $J | .$J, .usn | NTFS USN Journal (change journal) |
| AI app artifacts | folders / JSONL / SQLite / LevelDB | Scan local AI history from supported desktop, CLI, and editor assistants |
SQLite streaming import, lazy indexing, and virtual scrolling keep 30GB+ timelines responsive. Search millions of rows without freezing — memory-capped index builds and crash-safe long-running jobs.
