It has always been our focus to push the boundaries on how we interact with forensic timeline data and how we enable collaboration for DFIR teams. Over the past year we have been busy updating the entire Timesketch frontend in order to make new features possible, the developer experience better and build a more maintainable code base for the future.
The result is a completely refreshed UI that is faster, hopefully more intuitive and includes what we think are some new and exciting features.
- New filter system with intuitive and easy to use controls
- Dynamic columns to tailor the output for your needs
- Get insights to your data using the new aggregation support
- Markdown support in Stories
- Enrich your data with analysers, and managed them in the UI
- Close integration with data science platform such as Jupyter and Colab
Note: The data shown in the screenshots throughout this post are all fictional.
Open Source: https://github.com/google/timesketch
A refreshed UI
This is a big update and along with it comes a new identity. Althea Labre have created a new logo for Timesketch that captures the core mission of the project.
Timesketch is an open source tool that helps analyse forensic timelines. The hallmark of this app is the ability for collaborative teams to simultaneously conduct investigations. We designed a mark that represents both the app’s technical functionality and intrinsic value to the user.Althea Labre
A new filter system
Timesketch is using Elasticsearch as its backend for full text search. This means we have all the power of Elasticsearch for searching and filtering. We got feedback that is has been difficult to create filters that are flexible and easy to use. We have listened to your feedback and as a result we completely redesigned how filters are built.
Instead of relying on the query string format for filters you can now interactively add filters directly from the events. Just click on the attribute you want to filter on and it will be added automatically. This opens the door for better data exploration and less friction for the user.
Another frequent feature request is the need for flexible time range filters. One example is if you want to see events for three different days that are not in consecutive order. This is now possible with the feature of multiple time ranges. Just add as many ranges you need and the system will create the filters for you.
Starred events has been updated to be more flexible. Before you could only display all starred events without any possibility to apply any other filter. With this update the star filter is treated just as another filter which means that you can search within your starred events with greater flexibility.
Up until now we have only displayed a few columns from the data available without any way to customize it. With the new UI it is now possible to choose which fields to display. Any field that have been indexed can be chosen and they are preserved if you decide to save the view later.
Get insights on your data
We wanted to make aggregated data a natural part of data exploration. We removed the old static charts in favour of a dynamic and interactive frontend for aggregations.
Markdown support in Stories
Timesketch stories captures your notes, hypotheses and lets you embed interactive timeline events. We have rewritten the implementation to support Markdown and make the layout system data driven. This means that we can programatically create stories, and the interface is hopefully easier to use for the user.
We have added a new framework for assisted analysis which means that you can enrich your data with analysers written in Python. We call it Timesketch analysers.
We will write more about this in the future because the details and possibilities are too many to fit in this post. But here is the TL;DR and how it is implemented in the UI.
The new systems consist of a set of background workers that can execute Python code on a stream of events. It provides an easy to use API to programmatically do all the actions available in the UI, e.g. tagging events, star and create saved views etc. The idea is to automatically enrich data with encoded analysis knowledge. Here are some of the analyzers that has already been developed and are available by default:
- Feature extraction
- NTFS timestomping
- Domain enrichment
- Google Cloud Service key analysis
- Account finder
- Phishing detection
- Browser search extraction
Here is an example from an automatically detected phishing domain with the Phishy domain analyzer. You can see that the analyzer automatically added emojis to the event and tagged it so the analyst can easily find it.
Data science and integration with Jupyter and Colab
This is another topic that we will write more about in the near future, but we are excited to announce that we have support for data science platforms such Jupyter and Colab.
By using industry standard platforms for data science research and integrate these with Timesketch we can now start developing statistical models and automated analysis to enrich our evidence and surface relevant data both visual and textual to aid the analyst in their work.
To achieve this we needed a way for researchers to get started using Timesketch data and for developers to port to actual implementation.
Kristinn Guðjónsson is leading this initiative and is bringing the worlds of research and Timesketch together. Keep an eye out for an upcoming post where we will explore this feature in detail.
In case you want a sneak preview you can start playing with the data here.