The timeliner plugin helps investigators by providing a timeline of all the events that took place when the image was acquired. Although we have an idea of what took place within this scenario, many other dumps may be quite large and far more detailed and complex.

The timeliner plugin groups details by time and includes process, PID, process offset, DDLs used, registry details, and other useful information.

To run the timeliner command, we type the following:

volatility --profile=WinXPSP3x86 -f cridex.vmem timeliner

The following is a snippet of the timeliner command, when scrolling further through its output: