Timesketch charts and visualisation

Timesketch is an open source tool (source code on Github) for collaborative timeline analysis intended for digital forensics and incident response. Using sketches multiple collaborators can easily organize and concurrently analyze timelines. It supports adding rich annotations, comments and stars to add meaning to the raw data.

We are happy to announce a new version of Timesketch (2015.12 codename About Time). Apart from bug fixes this version is packed with new features that will make your analysis more efficient and fun!

Fewer distractions in the UI

The navigation sidebar is now gone to give more space for things that matter, e.g. the event list and the new charts. Navigation has been transformed into a tab list on the top of the page making it easy to move around in your sketches. The lists of sketches, timelines and saved views also have more information available.

Charts and aggregations

To help you get more insight into your timelines it is valuable to be able to aggregate the search results and visualize the data. Timesketch aggregations does this for you and is perfect for exploratory analysis. Initially there are three aggregations available, data_type, histogram and heatmap.

The data_type aggregation uses the data_type attribute from Plaso, giving you a really quick way to filter out events of a certain type.

The heatmap aggregation calculates on which day of the week and at which hour events happened. This can be very useful e.g. when analyzing lateral movement or login events.

There is also a classic histogram aggregation that shows you the number of events per day in the result.

Hiding events from view

This has been a popular request and is all about reducing noise in your result views. You can now hit the little eye to hide events from the list making it possible to curate your views to emphasize the important things. But don’t worry, the events are still there and can be easily shown for those who want to see them. Just hit the big red button to show/hide the events.

Basic search and filtering with URL parameters

Another popular request is to be able to link to a sketch with query and filter as request parameters. This is now possible and initially you can do basic filtering and queries. This is great if you want to dynamically create links to sketches from other applications without creating saved searches first.

/sketch/1/explore/?q=ssh&time_start=2015–01–01&time_end=2015–12–13

Visualize time jumps

A common issue when analyzing timelines is to be able to visually see when there are jumps in time, i.e. the distance between two events are bigger than a certain time e.g. 1 day. This is now shown in Timesketch with what we call “time bubbles”. You will never find yourself getting distracted by time jumps in your timelines again!

Plaso tags as UI labels

Plaso has the ability to tag events during processing. These tags are now shown in the Timesketch UI as labels in the output. This makes it super fast to spot interesting events tagged by Plaso’s powerful analysis plugin system.

CSV importer

The control program for Timesketch, tsctl, can now ingest timelines in CSV format. This is much more efficient for large timelines compared to the JSON ingestion previously available. Adding timelines from sources other than Plaso is now much easier.

$ tsctl csv2ts — file timeline.csv — name my_timeline

Other features added in this release

• Deleting a saved view can now be done by the sketch owner.
• Export the result of your queries and filters into a CSV file.
• You can now update a user’s password via tsctl.
• The WSGI program has moved into the Timesketch package making it easier to serve Timesketch with a web server.
• Newlines and formatting are preserved in event info and comments.

Give it a spin over at the demo site

We have a demo installation of Timesketch up and running. You can reach it at https://demo.timesketch.org/ and login with demo/demo.

To get you started here are some saved searches showing off the features mentioned in this post:

• Plaso tags in action
• Time bubbles for the win!
• Hidden events

How do I install or upgrade to the new release?

If you already have Timesketch installed and working you just do:

$ sudo pip install timesketch --upgrade

If you need to install Timesketch from scratch check out the installation instructions on the Timesketch wiki.

Sneak preview next release

The next release (2016.6, codenamed Kung Fury) is planned to be released this coming summer. To follow along with which features are planned and what issues are being worked on please see the 2016.6 milestone page.

To give you a preview of what is coming in the summer of 2016

• Better ACL controls in the UI. This will make it possible to have private sketches with specific users as collaborators.
• Better time filters that will make it more intuitive to filter on time ranges etc. Date pickers and multiple time ranges is what we are thinking about.
• Last but not least, initial experimental implementation of Timesketch Stories! A new way to work with forensic timelines which will make it possible to blend narrative and raw data.

Stay tuned!

— The Timesketch team