Timeline creation and presentation is the concept of normalizing event data by time and presenting it in chronological order for review. This sequence of event data becomes a narrative “a story” of events over a period of time. Furthermore, it can be used to put events into context, interpret complex data and identify anomalies or patterns. The concept of timeline creation and presentation is widely used amongst many practices including Digital Forensics and Incident Response (DFIR)
For DFIR purposes, timeline creation and presentation primarily consists of recursively scanning through a file system (or linear through a physical or partition disk image) and extracting forensic artifacts and associated timestamp data. The data is then converted to a normalized structured format in which it can be subsequently reviewed in chronological order.
|Slide from my SANS 360 talk|
- Import structured timeline data such as log2timeline CSV file into a structured database. This would allow for fast indexed searches across large data sets.
- Upon import, the application would allow the user to preserve source information. This will allow a practitioner to review data from multiple data sources in a SUPER timeline and easily correlate events across these different sources.
- Subsequently, the forensic timeline data will be displayed for review in a Graphical User Interface (GUI) data grid similar to Microsoft Excel. It will have familiar features such as the ability to sort, filter, and color code rows by column headings or values. For instance, a user could have the ability to import timeline data from 10 different hosts, filter to only show successful logons (based on evt log source types) between 2009 and 2010 and color color code the results by host to make the review process easy on the eyes :-)
- Unlike Excel make filtering transparent.. visually see and understand how the buttons you are pressing interact with the database and the results you are presented with -- sql query builder.
- The interface would also be intuitive to the extent a user could create user defined tags, comments, and bookmarks for the purpose of reporting, filtering and assisting review. For instance, a user could create the tag “evidence of IP theft” and subsequently select one or multiple rows in the data grid and associate them with this tag -- just like you can in eDiscovery!!
- At any point timeline data generate or reports or export data from the grid view. For example, export a filtered subset of data back into the CSV format to open in Excel or send to someone else?
- Ability to create custom queries.. so user is not limited by the GUI - think plugins!!!
- Also, basic charting capability because "a picture can sometimes tell a thousand words".
- WX GUI from-end
- Python Code
- SQLite backend
|You can see auto-highlighting by source type and POC charting here..|
Overview of data flow:
|In red I am working on in Phase 2.|
Also I really look forward to feedback positive/negative so I can improve and include thoughts in my future employer performance discussions so I dont wind up becoming a Walmart Greeter :-)