fls -m -p -r /path/to/image.E01 -i ewf > drive-image-timeline-bodyfile
volatility -f /path/to/image.001 --profile=<profile> timeliner --output=body --output-file=drive-image-timeline-timeliner.body
cat drive-image-timeline-timeliner.body >> drive-image-timeline-bodyfile
mactime -z UTC -y -d -b drive-image-timeline-bodyfile <start time..end time in format yyy-mm-dd..yyyy-mm-dd> > drive-image-memory-timeline.csv
This will give you a timeline with all the events in the given period.
You can filter out some temporary internet files, as these tend to add a lot of noise. The suggested ones to exclude are:
Temporary\ Internet \Files
PrivacIE
Content.IE5
IETldCache
ACPI
MSIE\ Cache\ File
THREAD
\(\$FILE\_NAME \)
DLL\ LOADTIME
You can store these in a whitelist file and then do negative grep to filter them out.
grep -v -i -f whitelist.txt drive-image-memory-timeline.csv > drive-image-memory-timeline-cleaned.csv
Eric Zimmerman from SANS made a fantastic tool to browse through these massive files, called Timeline Explorer. Get it here: https://ericzimmerman.github.io/Software/TimelineExplorer.zip