Timeline analysis from the future

Demo server is now available! https://demo.timesketch.org/

Timesketch is an open source collaborative forensic timeline analysis tool. It uses full text search to give you insight into your investigations. You can search hundreds of millions of events across different timelines all at once. Share your findings using saved views and add meaning to your data with labels and comments. Timesketch is build around collaboration, sharing and search.

We are excited to announce a new version of Timesketch, codename “Donnie Darko”. This release brings exciting new backend features such as a Python API client and Neo4j graph database support.

Python API client

To integrate Timesketch in your environment has been difficult. You have to install Timesketch with all dependencies, configure the server and so on. This is clearly not optimal. To make this better for you we have created a standalone API client library. The library takes care of authentication and sessions for you so you can focus on what is important. This is the first release of this library and we plan to add more features in the near future.

Install and use the API client

$ pip install timesketch-api-client
$ python
>>> from timesketch_api_client.client import TimesketchApi
>>> api_client = TimesketchApi("" username=test, password=test)
>>> api_client.list_sketches()
>>> sketch = api_client.get_sketch(1)
>>> sketch.search("search query")

We plan to develop a command line tool and shell which will provide the same features that you are used to in the web interface. I’m excited to see what the community will be able to do and what integrations we will see.

Graph database backend

The beginning of some exciting new features. With an interface for communicating with the open source graph database Neo4j we are prepared for graph exploration of timeline data. Our goal is to provide an intuitive and powerful graph exploration frontend. Stay tuned for more information on this! Here is a teaser (created with mock data):

For developers

Timesketch hackers, we are happy to announce that it is easier than ever to setup your environment with updated Vagrant support. Check out the official documentation to get started.

$ git clone https://github.com/google/timesketch.git
$ cd timesketch/vagrant
$ vagrant up
$ vagrant ssh
$ tsctl runserver -h

The environment is setup in such a way that when you edit the code on your host computer it will be reflected in the Vagrant VM automatically. This way you can use your favourite text editor for development.

Better time filters

Time filters has become more user friendly and powerful. Thanks to Ramses de Beer you can now filter on time by using the new syntax.

Timesketch will automatically parse your filter and create the correct time range. Examples:

  • 2017–01–12 (Specific day)
  • 2017–01–12 +-1d (Specific day and 1 day before and after)
  • 2017–01–12 12:01:01 +5m (Specific day and time and 5 minutes before and after)

Other improvements

  • Elasticsearch 5.x support.
  • Streaming results from Elasticsearch.
  • UI/UX refresh to make your Timesketch workflow even better.
  • You can now delete timelines.

Live demo server

It is now easier than ever to test Timesketch. We have set up a live demo server over at https://demo.timesketch.org/. Login with demo/demo and start your adventure with the example investigation called “Greendale” (not a real incident).

Check it out here: https://demo.timesketch.org/sketch/3/explore/view/77/

Note on upgrading

Follow the official upgrading instructions. You will need to backup your database and migrate the SQL schema. This release also introduces Elasticsearch version 5 support. This breaks compatibility with Elasticsearch 1.x and 2.x. If you have indices created with version 1.x you will need to reindex them. Follow the official documentation before you upgrade Timesketch.

Johan is a Senior Security Engineer at Google and he is the author of Timesketch. If you like articles like this — or interested in open source digital forensic tools — you can follow him on Twitter.

If you want to fetch the code it is available over at GitHub. Installation instructions are available on the Wiki.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s