IRFlow Timeline

Appearance

KAPE Profiles

Complete list of auto-detected KAPE / EZ Tool profiles with their column configurations.

EZ Tools Profiles

MFTECmd

Detection: Columns include EntryNumber, ParentEntryNumber, InUse

CategoryColumns
PinnedFileName, ParentPath, Extension
PrioritizedFileSize, Created0x10, LastModified0x10, IsDirectory
HiddenEntryNumber, SequenceNumber, ReferenceCount, ReparseTarget
Auto-colorExtension

EvtxECmd

Detection: Columns include PayloadData1, Channel, Provider

CategoryColumns
PinnedTimeCreated, EventId, Channel
PrioritizedComputer, PayloadData1, PayloadData2, PayloadData3
HiddenChunkNumber, Keywords, Opcode, RecordNumber
Auto-colorChannel

PECmd (Prefetch)

Detection: Columns include ExecutableName, RunCount, SourceFilename

CategoryColumns
PinnedExecutableName, RunCount
PrioritizedLastRun, PreviousRun0-6, SourceFilename, Volume
Auto-colorExecutableName

LECmd (LNK Files)

Detection: Columns include SourceFile, TargetPath, Arguments

CategoryColumns
PinnedSourceFile, TargetPath
PrioritizedArguments, WorkingDirectory, CreatedOn, ModifiedOn
Auto-colorTargetPath

AmcacheParser (Files)

Detection: Columns include ProgramId, SHA1, FullPath

CategoryColumns
PinnedFullPath, SHA1
PrioritizedFileSize, CompileTime, BinaryType, Publisher

AmcacheParser (Programs)

Detection: Columns include ProgramId, Name, Publisher, InstallDate

CategoryColumns
PinnedName, Version
PrioritizedPublisher, InstallDate, UninstallString

RECmd (Registry)

Detection: Columns include HivePath, Key, ValueName, ValueData

CategoryColumns
PinnedHivePath, Key, ValueName
PrioritizedValueData, LastWriteTimestamp, ValueType
Auto-colorHivePath

SBECmd (ShellBags)

Detection: Columns include AbsolutePath, ShellType

CategoryColumns
PinnedAbsolutePath, ShellType
PrioritizedLastWriteTime, MFTEntry, CreatedOn

SrumECmd (SRUM)

Detection: Columns include ExeInfo, AppId

CategoryColumns
PinnedExeInfo, AppId
PrioritizedTimestamp, NetworkUsage, ForegroundTime

AppCompatcache (Shimcache)

Detection: Columns include ControlSet, CacheEntryPosition, Path

CategoryColumns
PinnedPath, LastModifiedTime
PrioritizedExecuted, CacheEntryPosition

JLECmd (Jump Lists)

Detection: Columns include SourceFile and jump list-specific columns

CategoryColumns
PinnedFileName, TargetPath
PrioritizedArguments, CreatedOn, ModifiedOn

Timeline Format Profiles

ForensicTimeline

Detection: Columns include datetime, timestamp_desc, source, sourcetype

CategoryColumns
Pinneddatetime, source, sourcetype
Prioritizedtimestamp_desc, message, filename, display_name
Auto-colorsource

Plaso SuperTimeline

Detection: Columns include datetime, source, sourcetype, type, display_name

CategoryColumns
Pinneddatetime, source, type
Prioritizedsourcetype, display_name, message, filename
Auto-colorsource

MacTime (Bodyfile)

Detection: Columns include Date, Size, Type, Mode, File Name

CategoryColumns
PinnedDate, File Name, Type
PrioritizedSize, Mode, UID, GID

KapeMiniTimeline

Detection: Columns include Date, Time, Source, Short, Desc

CategoryColumns
PinnedDate, Time, Source
PrioritizedType, Short, Desc
Auto-colorSource

Security Tool Profiles

Hayabusa (Standard)

Detection: Columns include Timestamp, RuleTitle, Level, Computer

CategoryColumns
PinnedTimestamp, RuleTitle, Level
PrioritizedComputer, Channel, RuleFile
Auto-colorLevel

Hayabusa (Verbose)

Detection: Columns include Timestamp, RuleTitle, Level, Details, ExtraFieldInfo

CategoryColumns
PinnedTimestamp, RuleTitle, Level
PrioritizedDetails, ExtraFieldInfo, Computer
Auto-colorLevel

Chainsaw

Detection: Columns include timestamp, name, level, status

CategoryColumns
Pinnedtimestamp, name, level
Prioritizedcomputer, status, authors
Auto-colorlevel

BrowsingHistoryView

Detection: Columns include URL, Title, Visit Time, Web Browser

CategoryColumns
PinnedVisit Time, URL, Title
PrioritizedWeb Browser, Visit Count, Visit Type
Auto-colorWeb Browser

Built for the DFIR community.

Copyright 2025 IRFlow Timeline