A super timeline is a contraption thought up by Rob Lee and implemented by Kristinn Gudjonsson, and basically parses file artifacts and event logs and combined them into a massive spreadsheet that shows almost everything that happened on a system.
This can take a very long time, and should be something you dedicate a system to, set it up and have it start processing while investigating some other artifacts.
Create the plaso dump (all the timestamps):
log2timeline.py plaso.dump /path/to/drive/image.E01
Press enter to skip Volume Shadow Copies, you don’t need those and my guess is that they will just add a lot of duplicate entries.
Filter the timeline to a specific date range:
psort.py -z "UTC" -o L2tcsv /path/to/plaso.dump "date > 'yyyy-mm-dd hh:mm:ss' AND date < 'yyyy-mm-dd hh:mm:ss' " > plaso.csv
In this, yyyy-mm-dd hh:mm:ss is of course the start and end-date of the timeline you wan’t to review.
You can filter out some temporary internet files, as these tend to add a lot of noise. The suggested ones to exclude are:
Temporary\ Internet \Files
PrivacIE
Content.IE5
IETldCache
ACPI
MSIE\ Cache\ File
THREAD
\(\$FILE\_NAME \)
DLL\ LOADTIME
You can store these in a whitelist file and then do negative grep to filter them out.
grep -a -v -i -f whitelist.txt /path/to/plaso.csv > supertimeline.csv
Eric Zimmerman from SANS made a fantastic tool to browse through these massive files, called Timeline Explorer. Get it here: https://ericzimmerman.github.io/Software/TimelineExplorer.zip