Get partition table from image
mmls -t dos -i raw image.dd
Create bodyfile (format: http://wiki.sleuthkit.org/index.php?title=Body_file)
fls [-o offset] -f ntfs -m C:/ -p -r image.dd > bodyfile
Create events file from bodyfile
bodyfile.pl [-s server] -f bodyfile > events_file
Populate events file with other event data
EVT files - evtparse.pl [-e file|-d dir] -t >> events_file
EVTX files
1. Export the files from the image, or mount the image so that you can access the EVTX files
2. Parse the files using LogParser (must be done on a Vista or above analysis system)
Logparser -i:evt -o:csv "SELECT RecordNumber,TimeGenerated,EventID,SourceName,Strings,ComputerName,SID from path_to_EVTX
3. Parse output.txt file with Perl script to convert the fields into TLN format.
Prefetch file metadata - pref.pl [-f file|-d dir] [-v] -s server -t >> events_file
Scheduled Task .job files - jobparse.pl [-f file|-d dir] -s server -t >> events_file
There are a number of other tools that can be used to populate an events file, such as tln.exe, which is a GUI tool that can be used to add individual events (no tool exists, or you just want to add one or two events that are significant to the examination).
Once the events file has been populated, you can use grep to remove entries (Java updates, Restore Point creation/deletion, etc.); to create the timeline, use:
parse.pl -f events_file [-r date_range] > timeline_file
Timeline creation tools can be found here