Timesketch with Autopsy Data

Autopsy and Timesketch

Renzik now has a new friend in Timesketch. If you have ever wanted to add Timesketch to your Autopsy workflow you now can. The new Timesketch Autopsy plugin will pull all date related events from files or artifacts and create a json_line file and upload it to Timesketch. The plugin GUI option panel takes the following options for it to run.

IP address and port of the Timesketch server. These options can be saved for subsequent runs so you do not have to put them in every time. Timesketch user name and password are the next required options. I did not add these to the saved options but I can. If you want to see these saved then let me know and I can change them. The last 2 options are the Sketch name and description. By default they will take the case name and id from Autopsy, you can change them to something else if you want.

Timesketch plugin options panel

Once the plugin finishes you will get one of three (3) messages. The ingest message panel shows the three (3) messages. There is also a json_line file that is saved in the case temporary folder, it is not deleted at this point and will probably be moved to the module output folder area in the future. The reason that it is saved is that you can re-import this file into Timesketch in the future if you want to.

Ingest messages

Once the sketch and timeline has been added to Timesketch it may take a little while for it to process. Once it has you should be able to see the events and use all the functionality of Timesketch. Below is a look at a web history artifact and all the attributes associated with it.

Web History Artifact/Attributes

The format that I use for the artifact is [Date] <TSK Artifact Type> for non file artifacts and [Date] TSK: <File Name and Path>. All the Autopsy attributes are then added to each artifact that has a date associated defined in Autopsy. No one thing to note is that just because something has a date/time in the column name does not mean that it is defined in Autopsy as a column name. A good example is the webcache plugin where the column names have dates in them but the column is defined as a string and not a date so it will not get pulled in the Timesketch plugin. Now if anyone wants to see more information in the artifact description then let me know and we can try and see if it is doable.

Now there is probably some more work that needs to be done on this so it will be a work in progress. It has worked fine for me in testing but I would love feedback on how it works and ways to make it better. You can get the plugin here. As always I look forward to hearing any feedback and feature enhancements/future needs. Enjoy and happy time-lining your Autopsy data with Timesketch