It would be great if Timesketch could warn the user that the evidence they loaded into Timesketch appears to be incomplete and explain why it thinks so.
This could be done after Timesketch completed all the processing of the uploaded evidence. The "analyzer" would check what evidence is available and only run checks if the right evidence is available (including any dependencies).
Example checks:
There are entries for all non-empty Bash history files
All *.evtx files were parsed
All *.pslist files were parsed
The # of file system entries > 500
The browsing history databases for Chrome/Firefox/Edge/Safari exist on disk and there are entries for them in the timeline
etc.
Detailed example:
All ntuser.dat/usrclass.dat files were parsed (for example)
Dependency: Windows Registry entries & File system entries
Action: List 'ntuser.dat' and 'usrclass.dat' files in C:\Users
Check: Confirm that there are at least 20 entries for each registry hive
Mock-up Solution
Reasoning
Helps:
Ensure the collected/loaded evidence is complete
Highlight evidence gaps that the analyst might miss
Some gaps are difficult to discover & might go unnoticed
jaegeral
commented
1 year ago
Details
It would be great if Timesketch could warn the user that the evidence they loaded into Timesketch appears to be incomplete and explain why it thinks so.
This could be done after Timesketch completed all the processing of the uploaded evidence. The "analyzer" would check what evidence is available and only run checks if the right evidence is available (including any dependencies).
Example checks:
Detailed example:
Mock-up Solution
Reasoning
Helps: