RDPTimeline is a Digital Forensics & Incident Response (DFIR) tool that reconstructs RDP sessions from Windows Event Logs using timeline analysis, then correlates and flags suspicious activity occurring within and around those sessions using deterministic forensic rules, with optional ML and AI-based explanation.
The tool is designed to work offline by default.
RDPTimeline follows a staged DFIR pipeline:
- Log ingestion and validation
- Event parsing and normalization
- Global timeline based RDP session reconstruction
- Temporal correlation using grace windows
- Rule-based DFIR analysis
- (Optional) ML-based session anomaly detection
- (Optional) AI-assisted forensic reporting
RDPTimeline applies deterministic DFIR rules to reconstructed RDP sessions to highlight forensic indicators commonly associated with suspicious activity.
The tool may surface indicators related to:
- Repeated failed RDP authentication attempts
- Short-lived or aborted RDP sessions
- Unusually short or long RDP sessions
- Sessions without a clean logoff or disconnect
- Local user account creation during or near RDP sessions
- Users added to privileged (administrator) groups
- Scheduled task creation (with filtering of common benign tasks)
- Service installation and associated binary paths
- Clearing of Windows Security Event Logs
- Sessions that significantly deviate from peer behavior based on duration, activity volume, authentication patterns, or timing
These indicators are contextual signals intended to support forensic investigation. They do not constitute proof of compromise on their own.
You must provide at least one EVTX file.
Supported logs:
Security.evtxTerminalServices-RemoteConnectionManager.evtxLocalSessionManager.evtxSystem.evtxTaskScheduler.evtx
Logs may be provided in any combination.
Missing logs are handled gracefully.
Clone the repository and install dependencies:
git clone https://github.com/FatimaZ-tech/RDPTimeline.git
cd RDPTimeline
pip install -r requirements.txtRDPTimeline is executed from inside the project directory.
You must explicitly provide full or relative paths to the EVTX log files.
python rdptimeline.py \
--security /path/to/Security.evtx \
--ts /path/to/TerminalServices-RemoteConnectionManager.evtx \
--lsm /path/to/LocalSessionManager.evtxpython rdptimeline.py \
--security /path/to/Security.evtx \
--ts /path/to/TerminalServices-RemoteConnectionManager.evtx \
--lsm /path/to/LocalSessionManager.evtx \
--system /path/to/System.evtx \
--tasks /path/to/TaskScheduler.evtxpython rdptimeline.py \
--security /path/to/Security.evtx \
--ts /path/to/TerminalServices-RemoteConnectionManager.evtx \
--lsm /path/to/LocalSessionManager.evtx \
--system /path/to/System.evtx \
--tasks /path/to/TaskScheduler.evtx
--enable-mlML results are supporting signals only and do not replace rule-based DFIR findings.
python rdptimeline.py \
--security /path/to/Security.evtx \
--ts /path/to/TerminalServices-RemoteConnectionManager.evtx \
--lsm /path/to/LocalSessionManager.evtx \
--system /path/to/System.evtx \
--tasks /path/to/TaskScheduler.evtx
--enable-ai-reportMust enter OpenAI key. AI output is non-authoritative and used only for explanation. Rule-based DFIR findings remain the source of truth.
This project is licensed under the MIT License.
You are free to use, modify, and distribute this software for research, educational, and operational purposes, provided that the original copyright notice and license are included.
See the LICENSE file for full license text.
Developed by Fatima Zakir as part of ongoing research in Digital Forensics & Incident Response (DFIR).