Before I get into what's new, I would like to quickly reflect. 4n6time was introduced as a proof of concept application demo'ed at the 2011 SANS 360 Summit and has grown into a global user base. In 2013, 4n6time was nominated for the "tool of the year" award by forensic4cast (vote again this year!).
I remember joking that 4n6time would be free to everyone except LE. A lot of people laughed at that joke. However, in hindsight LE is one of my primary motivators to continue to invest personal time and expenses in this project.
Mid last year I received an e-mail stating 4n6time was used to help prosecute a murder case by presenting a complex set of data to a jury in a way they could understand. A few weeks later I received an email that 4n6time helped a family understand the facts leading up to a suicide. I get testimonial emails like this all the time from people.
Hearing feedback that Davnads potentially impacted someones live is surreal. It really is. Now only if I can figure out how to get a tax write off on this??? Lol.
The general feedback I get is that 4n6time does not make evidence available that other tools do not. It just makes evidence more readily accessible, presents it in a way that is logical, and makes telling the story easy with a mouse. In fact I think the download counts from last year speak for themselves. Although I suspect Kristinn would argue that the logs all point to Davnads downloading his own tool ;-)
I guess the reason I am sharing this story is to encourage others to contribute to existing projects like plaso or new projects. Everyone has to start somewhere and you never know where it will end up. I am also sharing this to thank people for the feedback. If it wasent for the emails, challenge coins, patches and other swagg I probably would have stopped investing in this project a long time ago.
Now let's take a look at what's under the hood in 4n6time, v.0.5...
- Contains latest "release" of plaso v.1.1.0 and dependencies.
- More intuitive create timeline wizard with ability to enable parser(s) visually amongst other enhancements.
- Ability to interact with all charts (e.g. click on source and update data grid view to only show source).
- Mouse hover over "tool tips" on all major buttons.
- Filter query preview (e.g. how many/types of results will be returned).
- Filter pivoting in data grid view based on various time criteria.
- Enhanced charting and reporting.
- EVT ID look up / deeper VT integration.
- More export to CSV options.
- Every time data is added to database prompts for evidence number. Used to differentiate multiple data sources in timeline.
- Advanced filtering.
- Lots of GUI enhancements and better error handling.
- Proof of concept MySQL back end - this adds a collaborative (server/client) review approach to timeline analysis. Also allows to scale timelines a lot more efficiently.
Work in progress documentation here - https://sites.google.com/a/kiddaland.net/plaso/usage/4n6time