event2timline has its own Github repo.
A recurring task in DFIR is to scour through hundreds of megabytes of Microsoft Windows event logs, searching for suspicious session establishments. Even with great tools such as log2timeline (or its newer version, plaso) and an unlimited amount of coffee, singling out "strange" session establishments can be a daunting task, especially on a busy server used by people from all over the world. It's like looking for a black cat in a dark basement, while blindfolded.
We had to come up with a solution that would avoid us the hassle of nitpicking through lines and lines of log entries. A tool that would take those hefty log files, extract every single session out of them, associate them to their username, and display the result on an easy-to-read timeline. That's exactly what event2timeline does.
Below is a screenshot of the final result, based on demo material from the SANS Advanced computer forensic analysis incident response course.
Feel free to use event2timeline during your daily DFIR routine. Let us know of any improvements you would like to make through pull requests on github or via our Twitter account @CertSG.