Your timeline is a story worth telling

Finding the right tool for digital forensic timeline analysis is challenging. Analysts tend to reach for tools like sed, grep, awk or even spreadsheets to get the job done. We have all been there. This works quiet well when the dataset is a few hundred thousand events and you are the only analyst on the case. But there are times when you need to analyze and correlate millions of events from more than one source. For example you need to collect and process artifacts from Windows, Linux and Mac, and sometimes even create full disk timelines with Plaso. The point being that the dataset tend to grow fast and making sense of it becomes difficult.

To answer questions like “How did the actor move laterally within our network?” becomes complicated. To scale analysis you need to collaborate and share findings with your colleagues. You need to be able to search across all your timelines at once. To keep the momentum you also need to hand over the current state of your investigation to the next analyst.

You need a timeline analysis tool

I created Timesketch to address these challenges. Timesketch is an open source collaborative forensic timeline analysis tool. It uses full text search to give you insight into your timelines. You can search hundreds of millions of events across different timelines all at once. Share your findings using saved views and add meaning to your data with labels and comments. Bring life to your investigation with Timesketch Stories. Timesketch is build around collaboration, sharing and search.

The Timesketch development team is proud to announce the release of Timesketch version 2016.11, codename “Looper”. This release introduces new features like advanced search, search templates and editable views. Let us explore how they can help you in your analysis work.

Timesketch Stories

Timesketch lets you analyze your timelines in a completely new way. We call it Timesketch Stories. The story captures your notes, hypotheses and lets you embed interactive timeline events. Handing over the investigation now becomes part of your analysis workflow. Note: The data shown in the screenshots throughout this post are all fictional.

A Timesketch story.

Powerful search

One of the central ideas in Timesketch is the ability to do full text search on your timelines. You have always been able to search with the Query String Query language. You can for example search based on boolean operators and regular expressions.

Boolean operators with grouping

Regular expressions

message:/joh?n(ath[oa]n)/.

See the official documentation for a full list of features.

But sometimes you need more flexibility to get the results you need. With this release we introduce Advanced search. You are no longer limited to Query String Query for your searches. You can now use full Elasticsearch DSL queries right from the UI.

The new Advanced search.

Saved Views just got a whole lot better

You can save your queries and filters as Saved views. The view gives you instant access to the results and also a quick way to share your findings. It is also how you embed events in your stories.

Save your queries and filters.

With this release we have made a couple of improvements to Saved views. First we made them editable. If you want to change the search query or filters you can now click the “Update view” button. This will save the changes to the view and make it available to all users. And of course, all stories that embeds the view will update automatically.

Update your views with a single click.

We have also added the ability to save only selected events as a Saved view. This is especially handy when you want to embed specific events in a story.

Bootstrap your investigation with Search templates

Search templates are like Saved views except they are not bound to any specific data. You can use templates to create new Saved views for your investigation.

Search templates can answer questions like “Who logged in over RDP?” or “Do I have any hits for this [Indicator of Compromise]?”. When you have created a view based on the template you can edit it by adding filters or changing the query. The templates supports both basic search and the new advanced search. It is easy to create new templates. Choose “Save as Search Template” when you create a new Saved view.

It is easy to create a new view in your investigation based on a Search template. Click the “Quick add” button and your are done.

Just click “Quick add” to use the Search Template in your investigation.

Meaningful visualizations

When we create visualizations in Timesketch we want them to be meaningful. They should add value to your workflow. For example you can use the Heatmap chart to spot odd login patterns.

Searching for Windows login events.

If you have ideas for visualizations in Timesketch, please speak up! Create a new feature request and we will take a look.

What we’re planning next

We are already planning for the next releases and here are some of the features you can look forward to:

• Better time filters — More flexible time filters and an easier UI to add filters for this important attribute.
• Activity streams — Get an overview of what your fellow analysts have been working on with real time updates of all actions taken in a sketch. This will also be the foundation of a new auditing system.
• Better UX for uploads
• More visualizations
• Pagination for search results
• .. and much more.

If you have ideas for new features please file a feature request on GitHub.
Thanks to all who made this release possible. Your fixes and bug reports are critical for the success of the project!

Johan is a Senior Security Engineer at Google. He is the author of Timesketch. If you like articles like this — or interested in open source digital forensic tools — you can follow him on Twitter.

If you want to fetch the code it is available over at GitHub. Installation instructions are available on the Wiki.