Automation – Baker Street Forensics

CyberPipe-Timeliner: From Collection to Timeline in One Script

You know how these things go. A colleague asks a simple question, and before you know it, you’re knee-deep in PowerShell creating something that didn’t exist a few weeks ago. That’s exactly how CyberPipe-Timeliner came to be.

After a recent update to CyberPipe, someone asked whether there was a way to pipe Magnet Response collections through to something like ForensicTimeliner. It was one of those “that should exist” moments. So I made it exist.

A Quick History Lesson

For those who haven’t been following along, CyberPipe (formerly CSIRT-Collect) has been around since my IR days. It went public in 2021 and has been steadily maintained and updated since then. The tool has proven itself useful for rapid incident response collection, and it’s evolved based on real-world needs and feedback from the community.

CyberPipe-Timeliner is its companion project—taking that collection data and turning it into something immediately actionable: a unified forensic timeline.

What It Actually Does

The script automates the entire workflow from collection to timeline:

Extraction – It unpacks your Magnet Response archive, whether that’s a ZIP file or an already-extracted directory.

Processing – All the heavy lifting happens here using Eric Zimmerman’s EZ Tools to generate CSVs from your artifacts.

Organization – The CSVs get structured specifically for ForensicTimeliner compatibility, because nobody wants to spend time wrestling with file formats.

Aggregation – Everything merges into a consolidated timeline, giving you that unified view we’re all after.

Built for Real-World Use

The script includes some practical features that came from actual use cases:

Date filtering – Need to focus on a specific incident window? Use -StartDate and -EndDate to narrow your timeline to what matters.
Flexible input – Point it at a ZIP file or an already-extracted collection folder. Either works.
Verbose and diagnostic modes – Because sometimes you need to see exactly what’s happening under the hood.
Auto-generated output folders – Timestamped folders keep your timelines organized without any extra effort.

Getting Started

Setting it up is straightforward. You’ll need PowerShell 7+, Eric Zimmerman’s EZ Tools, ForensicTimeliner, and Microsoft .NET SDK (v9 recommended). The GitHub repository has detailed setup instructions, including handy one-liners for downloading and configuring the required tools.

Once you’re set up, a basic run looks like this:

.\CyberPipe-Timeliner.ps1 -InputFile "collection.zip"

That’s it. The script handles the rest, creating a timestamped output folder with your complete timeline.

Why It Matters

Forensic timeline generation shouldn’t be a multi-tool, multi-step headache. CyberPipe-Timeliner takes what would normally be several manual processes and condenses them into a single automated pipeline. You collect with Magnet Response or CyberPipe, run the timeliner script, and get actionable timeline data.

It’s available now on GitHub, and as always, feedback and contributions are welcome. If you run into issues or have ideas for improvements, open an issue or reach out.

Sometimes the best tools come from simple questions and the willingness to build the answer.

Magnet RESPONSE PowerShell

DFIR, Forensic Imaging, PowerShell, Presentations, RAM

I’m excited to share with you a new script I’ve written, Magnet RESPONSE PowerShell.

Magnet RESPONSE is a free tool from Magnet Forensics that makes it easy for investigators as well as non-technical operators to collect triage collections quickly and consistently.

Released initially as a GUI tool for law-enforcement investigators, it’s a single executable that requires no installation. The available command line syntax also makes it very flexible for enterprise use.

So what do I do when there’s a command line interface available, I PowerShell the hell out of it.

If you’ve been following my CyberPipe project, you’ll definitely want to check this one out.

MagnetRESPONSEPowerShell.ps1

Functions:

💻 Capture specified triage artifacts using profiles with Magnet RESPONSE,
🐏 Capture a memory image with DumpIt for Windows or Magnet RAM Capture,
💾 Save all artifacts, output, and audit logs to network drive.
🪟 Supports x86, x64 and ARM64 versions of Windows

Prerequisites:

Magnet RESPONSE

Web server where you can host MagnetRESPONSE.zip that’s accessible to endpoints.

File server repository to save the file collections to.

Please note this is not a Magnet supported product. This script is open source. If you have comments, updates, or suggestions – please do so here or on GitHub via discussion or pull request.

There are two areas of the script for you to customize.

The Variable Setup contains the case identification, file server and web server locations.

The second section, Collection Profiles, define which artifact groups you want to collect. You can see all the options available in the Magnet RESPONSE CLI Guide.

VARIABLE SETUP

$caseID = "demo-161" # no spaces

$outputpath = "\\Server\Share" # Update to reflect output destination.

$server = "192.168.4.187" # "192.168.1.10" resolves to http://192.168.1.10/MagnetRESPONSE.zip

COLLECTION PROFILES

Within the script we need to have at least one set of collection arguments defined. In this case I’ve built multiple profiles, which are simply un-commented to mark the profile as active. You only want to have one profile enabled at a time. You can design your own collection profiles using any of the available CLI options, just follow the format below.

#### Extended Process Capture

$profileName = "EXTENDED PROCESS CAPTURE"

$arguments = "/capturevolatile /captureextendedprocessinfo /saveprocfiles"

Execution

Once your environment and collection variables are defined, go ahead and run the script on your endpoints. Every host that executes the script will download RESPONSE from the web server, run the specified collection profile, and then save the output to the file server. All data defined in the collection profile will be collected and organized by case name, hostname and timestamp of collection in the central location. The returned files can be examined manually, using open source tools, or products like Magnet AXIOM Cyber.

If you’d like to learn more about the script, and how I integrated it with AXIOM Cyber and Magnet AUTOMATE, you can register for my webcast, Responding at Scale with Magnet RESPONSE. I hope to see you there.

You can download the script at https://github.com/MagnetForensics/Magnet-RESPONSE-PowerShell

Getting Started with a PowerShell Menu

DFIR

We’re often using PowerShell within the Incident Response team. I’m a big practitioner of spending 5 hours coding something to automate a 5 minute job. At first the math may not compute, but when that 5 minute job may be requested hundreds of times – and with it scripted it takes 30 seconds… that’s where it pays off. It also enforces consistency and removes some of the possibility for human error.

We have a collection of internal scripts that we use frequently. As more scripts (or scriptlets) are added to the frequently used, I wanted a means to expose all the scripts to the team and to put some organization to it. I also wanted to easily support changes or additions to the referenced scripts. What I wound up building was a simple PowerShell menu structure.

Each individual script is referenced by a 2 letter code in the menu. Right now in our environment there’s 38 scripts in the menu. Many of those are proprietary (can’t share), however I gathered a handful to share here to illustrate the concept of the menu process.

https://github.com/dwmetz/PSHero

Once you’ve downloaded and unzipped the repository, you’ll want to edit the PSHero.ps1 file to ensure that the paths for the scripts reflect where you’ve got them saved to.

To add or remove scripts from the menu, there are 2 modifications:
In the top section is the menu listing

Write-Host "EX: MX Header Analysis"

Which pairs with

'EX' { D:\PowerShell\PSHero\Parse-EmailHeader.ps1 }

in the lower section. Use the other scripts as examples and add what you like. Just watch your brackets.

The scripts included in this demo menu include:

Launch PowerShell with an alternate credential
Login to O365, Legacy and Modern Auth.
Bitlocker (AD) retrieval
Host profiling and an attention getting PING
IRMemPull (Memory Acquisition) – https://github.com/n3l5/irMempull
A script that adds an examiner permissions to subject mailbox (for Magnet Axiom collection)
MX header parsing
Sadphishes – https://github.com/EdwardsCP/powershell-scripts/blob/master/SADPhishes.ps1
Convert Unix time to human readable

Have a favorite PS script you use? Post a recommendation in the comments below.