FAQ & Troubleshooting

General Questions

Why is IRFlow Timeline macOS only?

IRFlow Timeline was born out of the frustration of needing to boot a Windows VM just to use Timeline Explorer for triage. It is built as a native macOS Electron app to provide first-class performance on the platform most DFIR analysts use daily. Windows and Linux support may be considered in the future — see the Roadmap.

Is IRFlow Timeline free and open source?

Yes. IRFlow Timeline is released under the Apache 2.0 license and the full source code is available on GitHub.

How large of a file can IRFlow Timeline handle?

IRFlow Timeline has been tested with files exceeding 30 GB and 150 million+ rows. Files are never fully loaded into memory — they stream into a temporary SQLite database in chunks. The practical limit is your available disk space (the SQLite database is roughly 1.5x the original file size). See Performance Tips for hardware recommendations.

What makes this different from Timeline Explorer on Windows?

IRFlow Timeline is inspired by Eric Zimmerman's Timeline Explorer but adds capabilities beyond a data viewer:

Runs natively on macOS (Intel and Apple Silicon)
Process Inspector with MITRE ATT&CK detection rules
Lateral Movement Tracker with interactive network graphs
Persistence Analyzer scanning 30+ techniques
IOC Matching with 17+ indicator types
Gap & Burst Analysis for anomaly detection
Log Source Coverage heatmap
Handles 30GB+ files via SQLite streaming (no row limits)

Does it support KAPE output?

Yes. IRFlow Timeline auto-detects 15+ KAPE tool profiles including MFTECmd, EvtxECmd, PECmd, AmcacheParser, RECmd, SBECmd, AppCompatCacheParser, JLECmd, LECmd, SrumECmd, Hayabusa, and Chainsaw. Columns are automatically pinned, ordered, and formatted for each profile. See KAPE Integration and KAPE Profiles for details.

Installation Issues

macOS blocks the app with "Apple cannot check it for malicious software"

IRFlow Timeline is not notarized through the Apple App Store. To bypass the Gatekeeper prompt:

Right-click the app in Applications and select Open (not double-click)
Click Open in the dialog that appears
The app will launch and macOS will remember your choice

Alternatively: go to System Settings > Privacy & Security, scroll down, and click Open Anyway next to the IRFlow Timeline message.

TIP

You only need to do this once. After the first launch, macOS will open the app normally.

`electron-rebuild` fails during build from source

The better-sqlite3 native module must be compiled for Electron's specific Node.js version. Common fixes:

Missing build tools:

bash

xcode-select --install

Wrong Node.js version:

bash

# Ensure you're using Node.js 18+
node --version

# Clear node_modules and rebuild
rm -rf node_modules
npm install
npx electron-rebuild -f -w better-sqlite3

Apple Silicon with Rosetta conflicts:

bash

# Ensure you're running native arm64 Node.js, not x86_64 via Rosetta
arch
# Should output: arm64

# If it says i386, reinstall Node.js natively

The app crashes on launch

Check that your macOS version is 12 (Monterey) or later
Try deleting the app preferences: rm -rf ~/Library/Application\ Support/tle-app
Check the debug log for errors: cat ~/tle-debug.log | tail -50
If building from source, ensure you ran npx electron-rebuild -f -w better-sqlite3 after npm install

Import & Performance Issues

Import seems stuck or frozen

Large file imports can take several minutes. The app is not frozen — check the progress indicator in the toolbar. Expected import times on Apple Silicon:

File Size	Approximate Time
100 MB	5-10 seconds
1 GB	30-60 seconds
10 GB	5-8 minutes
30 GB+	15-25 minutes

TIP

The UI remains interactive during import. You can continue working in other tabs while a file loads.

Search returns no results even though the data exists

The full-text search (FTS) index builds in the background after import. If you search before it completes, the app falls back to LIKE-based search, which may miss some matches. Check the toolbar for the FTS build progress indicator. Once it shows complete, FTS search will return comprehensive results.

The app uses a lot of disk space

Each open tab creates a temporary SQLite database approximately 1.5x the size of the original file. These are stored in your system temp directory (/tmp) and are cleaned up when the tab is closed or the app exits.

Original File	Temp DB Size
1 GB	~1.5 GB
10 GB	~15 GB
30 GB	~45 GB

Ensure you have sufficient free disk space before importing large files. Close tabs you are no longer using to reclaim space.

Importing multiple EVTX files causes high memory usage

EVTX files are imported sequentially through an internal queue system. If you drag-drop many EVTX files at once, they are queued and processed one at a time with garbage collection pauses between each file. Column indexes and FTS builds are deferred until the entire queue drains.

If you experience memory pressure, import EVTX files in smaller batches (5-10 at a time) rather than all at once.

Feature Questions

Can I search across all open tabs at once?

Yes. Enable Search All Tabs in the search bar to run your query across every loaded tab simultaneously. Results are returned per-tab so you can see which data source contains the matches.

How do I export only my bookmarked or tagged rows?

Toggle the bookmark filter (Cmd+B) to show only bookmarked rows
Or use the tag filter dropdown to show rows with specific tags
Go to File > Export (Cmd+E) — only the currently filtered/visible rows will be exported

Can I save my analysis and reopen it later?

Yes. Go to File > Save Session (Cmd+S) to save a .tle session file. This preserves all open tabs, filters, bookmarks, tags, color rules, and column configurations. Use File > Load Session to restore it. See Sessions for details.

Does IRFlow Timeline send any data externally?

No. All processing happens locally on your machine. No timeline data, file contents, or analysis results are transmitted anywhere. The documentation site uses GoatCounter for anonymous page view analytics, but the desktop application itself has no telemetry or network calls.

Still need help?

Check the debug log at ~/tle-debug.log for detailed error information
Open an issue on GitHub with your macOS version, app version, and the relevant log output
Review Performance Tips for optimization guidance

FAQ & Troubleshooting ​

General Questions ​

Why is IRFlow Timeline macOS only? ​

Is IRFlow Timeline free and open source? ​

How large of a file can IRFlow Timeline handle? ​

What makes this different from Timeline Explorer on Windows? ​

Does it support KAPE output? ​

Installation Issues ​

macOS blocks the app with "Apple cannot check it for malicious software" ​

electron-rebuild fails during build from source ​

The app crashes on launch ​

Import & Performance Issues ​

Import seems stuck or frozen ​

Search returns no results even though the data exists ​

The app uses a lot of disk space ​

Importing multiple EVTX files causes high memory usage ​

Feature Questions ​

Can I search across all open tabs at once? ​

How do I export only my bookmarked or tagged rows? ​

Can I save my analysis and reopen it later? ​

Does IRFlow Timeline send any data externally? ​

Still need help? ​

FAQ & Troubleshooting

General Questions

Why is IRFlow Timeline macOS only?

Is IRFlow Timeline free and open source?

How large of a file can IRFlow Timeline handle?

What makes this different from Timeline Explorer on Windows?

Does it support KAPE output?

Installation Issues

macOS blocks the app with "Apple cannot check it for malicious software"

`electron-rebuild` fails during build from source

The app crashes on launch

Import & Performance Issues

Import seems stuck or frozen

Search returns no results even though the data exists

The app uses a lot of disk space

Importing multiple EVTX files causes high memory usage

Feature Questions

Can I search across all open tabs at once?

How do I export only my bookmarked or tagged rows?

Can I save my analysis and reopen it later?

Does IRFlow Timeline send any data externally?

Still need help?