# Volatility timeline


$ volatility timeliner --output=body --output-file=timeliner.txt --profile=<profile> --filename=<ram_dump> && volatility mftparser --output=body --output-file=mftparser.txt --profile=<profile> --filename=<ram_dump> && volatility shellbags --output=body --output-file=shellbags.txt --profile=<profile> --filename=<ram_dump>
$ cat timeliner.txt mftparser.txt shellbags.txt > timeline.txt
$ mactime -b timeline.txt -d > mactime.txt

No comments: