Overview
I am happy to say that a new tool made it to github called „timesketch-tools“.
It is basically a way to interact with Timesketch via CLI. For those who don’t know Timesketch, it is an amazing opensource tool developed by Johan Berggren and is used to create timelines for forensic investigations as well as incident response cases.
Reason
Back in 2017, Johan tweeted:
Do you want to build automation around forensic timeline analysis? try: pip install timesketch-api-client #DFIR
— Johan (@jberggren) 15. August 2017
Why is the WebUi not enough? Well in some cases you might want to automate stuff, have no browser or other reasons, so it is not „Why“ but „why not“.
So I did during the last few days and built a client for it: timesketch-tools
Capabilities
At the moment only two methods do work, but it should be enough to show the power of it.
List sketches
timesketch-tools.py -ls
_______ __ __ __
/_ __(_)_ _ ___ ___ / /_____ / /_____/ /
/ / / / ' \/ -_|_-</ '_/ -_) __/ __/ _
/_/ /_/_/_/_/\__/___/_/\_\__/\__/\__/_//_/-tools v0.1
+-----+-----------------------------+
| id | Name |
+-----+-----------------------------+
| 130 | test1Untitled sketch |
| 3 | The Greendale investigation |
+-----+-----------------------------+
Add event
timesketch-tools.py --add_events
_______ __ __ __
/_ __(_)_ _ ___ ___ / /_____ / /_____/ /
/ / / / ' \/ -_|_-</ '_/ -_) __/ __/ _
/_/ /_/_/_/_/\__/___/_/\_\__/\__/\__/_//_/-tools v0.1
Please provide the sketch id you want to add events to as (an integer): 3
Please provide informations to the event you would like to add timestamp, timestamp_desc, message will be promted
Timestamp (use Format: YYYY-mm-ddTHH:MM:SS+00:00 2018-01-15T10:45:50+00:00) use c for current time c
timestamp_desc this is the description
message something was hacked
Event added, ID: 18 Date:2018-10-31T14:49:41+00:00 timestamp desc this is the description messagesomething was hacked
Add another event? (y/n)n
I have a lot of ideas to improve, so expect some more functionality added soon…