Timesketch is an open source collaborative forensic timeline analysis tool. Timesketch is an open source tool that facilitates the analysis of existing “.evtx” (Event Logs) files by creating a timeline with use elasticsearch. Timesketch, which also provides the opportunity to work in groups, I can say that analysts make their work very easy with queries in “JSON” format specific to elasticsearch.
Many analysts find it difficult to open and review large-scale log files. Timesketch provides us a great convenience at this point. Using plaso
It allows us to progress much faster by uploading the parsed log files to timesketch.
To help you get more insight into your timelines it is valuable to be able to aggregate the search results and visualize the data. Timesketch aggregations does this for you and is perfect for exploratory analysis. Initially there are three aggregations available, data_type, histogram and heatmap.
You can click here to download timesketch.
Since I don’t want to overwhelm you with the installation and for convenience, I will show the installation on the docker.
Operating system used ubuntu 18.04 server
Follow the official instructions here
Install Docker Compose
Follow the official instructions here
git clone https://github.com/google/timesketch.git
Build and Start Containers
sudo docker-compose up
Retrieve the randomly generated password from startup logs: TIMESKETCH_PASSWORD set randomly to: xxx
Go to: http://127.0.0.1/
Login with username: admin and the retrieved random password
The initial purpose of plaso was to collect all timestamped events of interest on a computer system and have them aggregated in a single place for computer forensic analysis (aka Super Timeline). In short, we can also say creating a timeline of all log records in a single file.
A proper format is required for us to upload log files to timesketch. Plaso comes into play here, collecting the log files that we have provided in a single point and outputting them in a convenient format for us to upload to timesketch. Here to download plaso.
Creating a timeline
After downloading plaso, what we need to do to parse the log files we have is very simple.
The quickest way to generate a timeline with Plaso is using the “psteal” frontend. A command line like so:
“ psteal.py — source /cases/abc/<log_source> -o l2tcsv -w /desktop/registrar.csv”
will produce a csv file containing all the events from an image, with some sensible defaults.
- source: Here you can also export log files in a folder, export a disk image or show the path of the log file individually.
- o: We specify the output format. In addition to this, at the end of the process, the placeholder will create a sqllite file called .plaso, our main job is with that file.
- w: Where to save our parsed.
When we run the command, we can now start parsing our files.
When the process was finished, he wrote the .csv file in the directory we gave him, on the other hand, he created the .plaso file in his own folder. If we look at the directory where Plaso is installed, we can see this file.
Actually I wanted to use Security.evtx file here but I gave up because the file size is 6GB.
We are now ready to upload the .plaso file to timesketch. If you have run it on a virtual machine, you can access the virtual machine’s ip address from the browser of your physical machine by bridging it in the network settings.
Go to: http://<machine_ip>/
After logging in, the screen will meet us below.
We continue by clicking the green sketch button in the middle.
Since we haven’t created a timeline yet, let’s upload our .plaso file by saying it’s empty, add timeline.
After selecting our file, let’s add it under saying “Upload”
After uploading, if we come to the overview area, we can see where our file is uploaded and we can see how many events there are.
Coming to the Explore field, we can now see indexed log files here.
Now it remains to your analysis. You can view the information you want with queries. You can perform filtering operations, examine on which dates log activities are more intense and work as a group.
It also has many features. When you use it, you can search and find things that will work for you.