Timesketch on an Raspberry Pi3

TLDR

Does not work at the moment

Idea

Playing with Timesketch (timesketch.org) for a while I was wondering if it is possible to install Timesketch on a Raspberry Pi 3 to do some basic analysis, no heavy GB plaso imports and such.

A raspberry Pi is around 40 $, so pretty cheap and can be ordered almost everywhere on the planet, and you might already have some PIs from previous projects like:

I have also written about Timesketch / and or maintaining the following Github repositories:

Basic installation

I used the Noobs Image to install the raspberry using a 128 GB Micro SD card to have enough storage.

Java

Trying to install Java will cause some Java issues because you need to install it manually, follow:

https://www.raspberrypi.org/forums/viewtopic.php?t=101543

sudo mv /usr/lib/jvm/java-8-openjdk-armhf/jre/lib/arm/client /usr/lib/jvm/java-8-openjdk-armhf/jre/lib/arm/server

Installing Elastic Search

Follow that article:

Installing Timesketch

Simple, SSH to your raspberry pi and follow:

When installed elasticsearch:

vi /etc/elasticsearch/elasticsearch.yml

Add the following:

network.bind_host: 127.0.0.1

pycipher

This one is a bit tricky because it might fail with:

Collecting pycypher==0.5.9
Could not find a version that satisfies the requirement pycypher==0.5.9 (from versions: )
No matching distribution found for pycypher==0.5.9

Docker

https://medium.freecodecamp.org/the-easy-way-to-set-up-docker-on-a-raspberry-pi-7d24ced073ef

Docker-compose

sudo apt-get install docker-compose

So pycypher does kill the posibility to use Timesketch on a raspberry at the moment:

 Getting page https://www.piwheels.org/simple/pycypher/
  Looking up "https://www.piwheels.org/simple/pycypher/" in the cache
  Current age based on date: 30
  Freshness lifetime from request max-age: 600
  The response is "fresh", returning cached response
  600 > 30
  Analyzing links from page https://www.piwheels.org/simple/pycypher/
  Could not find a version that satisfies the requirement pycypher (from versions: )
Cleaning up...
No matching distribution found for pycypher

timesketch-tools

Overview

I am happy to say that a new tool made it to github called „timesketch-tools“.
It is basically a way to interact with Timesketch via CLI. For those who don’t know Timesketch, it is an amazing opensource tool developed by Johan Berggren and is used to create timelines for forensic investigations as well as incident response cases.

Reason

Back in 2017, Johan tweeted:

Why is the WebUi not enough? Well in some cases you might want to automate stuff, have no browser or other reasons, so it is not „Why“ but „why not“.

So I did during the last few days and built a client for it: timesketch-tools

Capabilities

At the moment only two methods do work, but it should be enough to show the power of it.

List sketches

timesketch-tools.py -ls
     
         _______               __       __      __ 
        /_  __(_)_ _  ___ ___ / /_____ / /_____/ / 
         / / / /  ' \/ -_|_-</  '_/ -_) __/ __/ _          
        /_/ /_/_/_/_/\__/___/_/\_\__/\__/\__/_//_/-tools v0.1

            
+-----+-----------------------------+
|  id |             Name            |
+-----+-----------------------------+
| 130 |     test1Untitled sketch    |
|  3  | The Greendale investigation |
+-----+-----------------------------+

Add event

timesketch-tools.py --add_events
     
         _______               __       __      __ 
        /_  __(_)_ _  ___ ___ / /_____ / /_____/ / 
         / / / /  ' \/ -_|_-</  '_/ -_) __/ __/ _          
        /_/ /_/_/_/_/\__/___/_/\_\__/\__/\__/_//_/-tools v0.1

            
Please provide the sketch id you want to add events to as (an integer): 3
Please provide informations to the event you would like to add timestamp, timestamp_desc, message will be promted

Timestamp (use Format: YYYY-mm-ddTHH:MM:SS+00:00 2018-01-15T10:45:50+00:00) use c for current time c
timestamp_desc this is the description
message something was hacked
Event added, ID: 18 Date:2018-10-31T14:49:41+00:00 timestamp desc this is the description messagesomething was hacked
Add another event? (y/n)n

I have a lot of ideas to improve, so expect some more functionality added soon…