Analysis of Log Files Using Timesketch

Ozan Unal
Ozan Unal
Feb 7 · 5 min read

Timesketch is an open source collaborative forensic timeline analysis tool. Timesketch is an open source tool that facilitates the analysis of existing “.evtx” (Event Logs) files by creating a timeline with use elasticsearch. Timesketch, which also provides the opportunity to work in groups, I can say that analysts make their work very easy with queries in “JSON” format specific to elasticsearch.

Many analysts find it difficult to open and review large-scale log files. Timesketch provides us a great convenience at this point. Using plaso
It allows us to progress much faster by uploading the parsed log files to timesketch.

To help you get more insight into your timelines it is valuable to be able to aggregate the search results and visualize the data. Timesketch aggregations does this for you and is perfect for exploratory analysis. Initially there are three aggregations available, data_type, histogram and heatmap.

You can click here to download timesketch.

Install

Since I don’t want to overwhelm you with the installation and for convenience, I will show the installation on the docker.

Operating system used ubuntu 18.04 server

Install Docker

Follow the official instructions here

Install Docker Compose

Follow the official instructions here

Clone Timesketch

git clone https://github.com/google/timesketch.git
cd timesketch

Build and Start Containers

cd docker
sudo docker-compose up

Access Timesketch

Retrieve the randomly generated password from startup logs: TIMESKETCH_PASSWORD set randomly to: xxx

Go to: http://127.0.0.1/

Login with username: admin and the retrieved random password

Plaso

The initial purpose of plaso was to collect all timestamped events of interest on a computer system and have them aggregated in a single place for computer forensic analysis (aka Super Timeline). In short, we can also say creating a timeline of all log records in a single file.

A proper format is required for us to upload log files to timesketch. Plaso comes into play here, collecting the log files that we have provided in a single point and outputting them in a convenient format for us to upload to timesketch. Here to download plaso.

Creating a timeline

After downloading plaso, what we need to do to parse the log files we have is very simple.

The quickest way to generate a timeline with Plaso is using the “psteal” frontend. A command line like so:

psteal.py — source /cases/abc/<log_source> -o l2tcsv -w /desktop/registrar.csv”

will produce a csv file containing all the events from an image, with some sensible defaults.

  • source: Here you can also export log files in a folder, export a disk image or show the path of the log file individually.
  • o: We specify the output format. In addition to this, at the end of the process, the placeholder will create a sqllite file called .plaso, our main job is with that file.
  • w: Where to save our parsed.

When we run the command, we can now start parsing our files.

When the process was finished, he wrote the .csv file in the directory we gave him, on the other hand, he created the .plaso file in his own folder. If we look at the directory where Plaso is installed, we can see this file.

Actually I wanted to use Security.evtx file here but I gave up because the file size is 6GB.

We are now ready to upload the .plaso file to timesketch. If you have run it on a virtual machine, you can access the virtual machine’s ip address from the browser of your physical machine by bridging it in the network settings.

Go to: http://<machine_ip>/

After logging in, the screen will meet us below.

We continue by clicking the green sketch button in the middle.

Since we haven’t created a timeline yet, let’s upload our .plaso file by saying it’s empty, add timeline.

After selecting our file, let’s add it under saying “Upload

After uploading, if we come to the overview area, we can see where our file is uploaded and we can see how many events there are.

Coming to the Explore field, we can now see indexed log files here.

Now it remains to your analysis. You can view the information you want with queries. You can perform filtering operations, examine on which dates log activities are more intense and work as a group.

It also has many features. When you use it, you can search and find things that will work for you.

Resources

Ozan Unal

Written by

Ozan Unal

https://twitter.com/ozanunll

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade