Timesketch stories

Timesketch is an open source collaborative timeline analysis tool (source code) for for digital forensics and incident response. Using sketches multiple collaborators can easily organize and concurrently analyze timelines.

We are excited to announce a new version of Timesketch (2016.7 codename Interstellar). This version is packed with new features, tweaks and fixes that will make your analysis more efficient and fun!

Stories

A story is a place where you can capture the narrative of your technical investigation and add detail to your story with raw timeline data. The editor let you to write and capture the story behind your investigation and at the same time enable you to share detailed findings without spending hours writing reports.

At the moment, you can add events from previously saved searches. Just hit enter to start a new paragraph and choose the saved search from the dropdown menu.

This is just the beginning and we have lot of ideas going forward. For example, manually adding individual events to the story and automatically creating stories from Plaso analysis reports. If you have ideas please share them with us!

New sharing options

You’re now able to add more granular access control to your sketches with some new sharing options in the Interstellar release. The first is sharing a sketch with individual users of the system. This is ideal when you have a sensitive case and want to keep the sketch private but still need to collaborate with other analysts. In the sharing options there’s a new field called “Share with:”. Just put the username of the person you want to collaborate with and enjoy having a private sketch.

The second option is to share with a group of users. In this initial implementation groups are provisioned from your Single Sign On (SSO) system. To enable this feature you need to have your SSO implementation expose group information for the user when logging in. In future versions you will be able to manually create groups, stay tuned!

Other improvements

  • Elasticsearch 2.x support.
  • UI/UX refresh to make your Timesketch workflow even better.
  • Database migration support.
  • More API endpoints to better support tools that want to integrate with Timesketch.

What is coming in the next release?

We are already planning for the next releases and here are some of the features you can look forward to:

  • Canned queries — These are generic saved searches that can be applied to any sketch and on any number of Timelines. An example use of this is to store a generic query to enumerate all user logins or executed programs. With this feature you will be able to quickly bootstrap your investigations and to let the system automatically present you with relevant data.
  • Manual timeline events — Manually add events to your investigation will open up new possibilities. You’ll be able to add ad hoc events that are not sourced from Plaso.
  • Better time filters — More flexible time filters and an easier UI to add filters for this important attribute.
  • Activity streams — Get an overview of what your fellow analysts have been working on with real time updates of all actions taken in a sketch. This will also be the foundation of a new powerful auditing system.

See all planned features on the milestone page.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s