Timesketch – Collaborative Forensic Timeline Analysis

Timesketch is an open source tool for collaborative forensic timeline analysis. Using sketches you and your collaborators can easily organize your timelines and analyze them all at the same time. Add meaning to your raw data with rich annotations, comments, tags and stars.

Timesketch - Collaborative Forensic Timeline Analysis
Timesketch – Collaborative Forensic Timeline Analysis

The framework support 3 ways to add logs and artifacts:

  • Create timeline from JSON/JSONL/CSV file
  • Create timeline from Plaso file
  • Enable Plaso upload via HTTP

Timesketch is built on multiple sketches, where one sketch is usually one case. Every sketch can consist of multiple timelines with multiple views. User may hide events from the interface to reduce the noise and in the view section there is a heatmap aggregation that calculates on which day of the week and at which hour events happened. This can be very useful e.g. when analyzing lateral movement or login events.

The framework include a story section which is a place where you can capture the narrative of your technical investigation and add detail to your story with raw timeline data. The editor let you to write and capture the story behind your investigation and at the same time enable you to share detailed findings without spending hours writing reports.

You can read more and download this framework over here: https://github.com/google/timesketch

Share