Timesketch is an open source collaborative forensic timeline analysis tool. It uses full text search to give you insight into your investigations. You can search hundreds of millions of events across different timelines all at once. Share your findings using saved views and add meaning to your data with labels and comments. Timesketch is build around collaboration, sharing and search.
We are excited to announce a new version of Timesketch, codename “Donnie Darko”. This release brings exciting new backend features such as a Python API client and Neo4j graph database support.
Python API client
To integrate Timesketch in your environment has been difficult. You have to install Timesketch with all dependencies, configure the server and so on. This is clearly not optimal. To make this better for you we have created a standalone API client library. The library takes care of authentication and sessions for you so you can focus on what is important. This is the first release of this library and we plan to add more features in the near future.
Install and use the API client
$ pip install timesketch-api-client $ python >>> from timesketch_api_client.client import TimesketchApi >>> api_client = TimesketchApi("http://127.0.0.1:5000" username=test, password=test) >>> api_client.list_sketches() ... >>> sketch = api_client.get_sketch(1) >>> sketch.search("search query")
We plan to develop a command line tool and shell which will provide the same features that you are used to in the web interface. I’m excited to see what the community will be able to do and what integrations we will see.
Graph database backend
The beginning of some exciting new features. With an interface for communicating with the open source graph database Neo4j we are prepared for graph exploration of timeline data. Our goal is to provide an intuitive and powerful graph exploration frontend. Stay tuned for more information on this! Here is a teaser (created with mock data):
Timesketch hackers, we are happy to announce that it is easier than ever to setup your environment with updated Vagrant support. Check out the official documentation to get started.
$ git clone https://github.com/google/timesketch.git $ cd timesketch/vagrant $ vagrant up ... $ vagrant ssh $ tsctl runserver -h 0.0.0.0
The environment is setup in such a way that when you edit the code on your host computer it will be reflected in the Vagrant VM automatically. This way you can use your favourite text editor for development.
Better time filters
Time filters has become more user friendly and powerful. Thanks to Ramses de Beer you can now filter on time by using the new syntax.
Timesketch will automatically parse your filter and create the correct time range. Examples:
- 2017–01–12 (Specific day)
- 2017–01–12 +-1d (Specific day and 1 day before and after)
- 2017–01–12 12:01:01 +5m (Specific day and time and 5 minutes before and after)
- Elasticsearch 5.x support.
- Streaming results from Elasticsearch.
- UI/UX refresh to make your Timesketch workflow even better.
- You can now delete timelines.
Live demo server
It is now easier than ever to test Timesketch. We have set up a live demo server over at https://demo.timesketch.org/. Login with demo/demo and start your adventure with the example investigation called “Greendale” (not a real incident).
Check it out here: https://demo.timesketch.org/sketch/3/explore/view/77/
Note on upgrading
Follow the official upgrading instructions. You will need to backup your database and migrate the SQL schema. This release also introduces Elasticsearch version 5 support. This breaks compatibility with Elasticsearch 1.x and 2.x. If you have indices created with version 1.x you will need to reindex them. Follow the official documentation before you upgrade Timesketch.
Johan is a Senior Security Engineer at Google and he is the author of Timesketch. If you like articles like this — or interested in open source digital forensic tools — you can follow him on Twitter.