Timesketch, the open-source timeline collaboration tool recently upgraded the UI and that is why I am writing a new blog post to show the new UI by processing a E01 image via plaso.
First, install plaso and timesketch (in my case I used both via docker images as it is the easiest way to get it running.
As a scenario, I am using the image file provided by NIST. Which has been covered in many many blog posts already.
Processing via plaso
First, run the plaso docker container where the image file is stored.
docker run -v /evidence/:/data log2timeline/plaso log2timeline /data/evidences.plaso /data/4DellLatitudeCPi.E01
That will run for a while.
plaso - log2timeline version 20191203 Source path : /data/4DellLatitudeCPi.E01 Source type : storage media image Processing time : 00:23:38 Tasks: Queued Processing Merging Abandoned Total 0 0 0 0 12210 Identifier PID Status Memory Sources Events File Main 7 completed 293.9 MiB 12210 (0) 168913 (0) Worker_00 14 idle 288.7 MiB 5804 (0) 82139 (0) TSK:/WINDOWS/system32/config/systemprofile/Start Menu/Programs/Accessories/Accessibility/Utility Manager.lnk Worker_01 16 idle 268.9 MiB 6405 (0) 86774 (0) TSK:/WINDOWS/system32/config/systemprofile/Start Menu/Programs/Accessories/Entertainment/desktop.ini Processing completed. Number of warnings generated while extracting events: 2. Use pinfo to inspect warnings in more detail.
MD5 (evidences.plaso) = 82ed76c50a6152a8c96cd959ad494b53
Install and start Timesketch
For this sample, I used the dev version of docker according to https://github.com/google/timesketch/tree/master/docker/development
docker-compose up -d export CONTAINER_ID="$(sudo docker container list -f name=development_timesketch -q)"
Create a case via Web UI
I decided to upload the plaso file via Web-UI.
Also in the Web UI, process feedback is visible
Now data is being indexed
This will trigger an entry in the debug output
[2019-12-30 19:22:38,018: INFO/MainProcess] Received task: timesketch.lib.tasks.run_plaso[2ab18910-e2e1-4b0d-977c-948605b335dd] [2019-12-30 19:22:38,088: INFO/ForkPoolWorker-1] Index timeline [evidences] to index [d3cf025c5c94498e8300190d92e483ae] (source: plaso) [2019-12-30 19:24:13,148: INFO/ForkPoolWorker-1] Task timesketch.lib.tasks.run_plaso[2ab18910-e2e1-4b0d-977c-948605b335dd] succeeded in 95.0877274190002s: 'd3cf025c5c94498e8300190d92e483ae'
After indexing, the data is ready to be explored via Timesketch
One of the new cool features is Analyzers. These analyzers run predefined queries on the data of a timeline do some actions like
- add tags to matching events (e.g. phishy-domains)
- add new fields to an event (e.g. browser search would add a field called „search_string„
To showcase the power of Timesketch, let’s try to solve some of the questions of NIST that came along with the image
What operating system was used on the computer?
This is rather easy as plaso already has a parser for that, so searching for „Windows NT*CurrentVersion“ will do the job
What is the timezone settings?
Again, plaso is already parsing that, searching for „timezone“ will show „ActiveTimeBias: 300 Bias: 360 DaylightBias: -60 DaylightName: Central Daylight Time StandardBias: 0 StandardName: Central Standard Time„