joachimmetz
commented
6 years ago The output of Timesketch is intended for Timesketch https://github.com/google/timesketch. Changing it will break compatibility.
Closed MariasStory closed 6 years ago
joachimmetz
commented
6 years ago The output of Timesketch is intended for Timesketch https://github.com/google/timesketch. Changing it will break compatibility.
joachimmetz
commented
6 years ago Also MACB grouping is fundamentally wrong since a grouping does not necessarily mean the timestamps are actually the same, but more due to the lack of granularity and precision they appear to be same. See discussion: https://github.com/log2timeline/plaso/issues/306
It also limits further accurate automated processing of the events.
MariasStory
commented
6 years ago Hi @joachimmetz, as always, you have deep understanding of the situation, and I see your point. I am not sure about the automated timeline processing, do you have some ideas? At the moment, we, and some other security experts that I know, are using manual timelining. In my use case additional events grouping is a plus. I mean a type of grouping, that does not loose information. In the MACB case the real events sequence could be represented by the letters order. This might work even when the timestamp is shortened. Maybe, I would go even farther in the statement and say that some hints on the file modification type could be suggested in the event. Like this one: https://digital-forensics.sans.org/media/Poster_Windows_Forensics_2017_WEB.pdf In short, I do agree that we may separate two different use cases: 1) Explicit timelining of detected events. This one is useful for farther automated processing. 2) Grouped processing for manual timeline investigation. We will need it, any way.
My impression is that the plaso file is the events file and I would assume that it is better to do automated processing of plaso file, we may still have some conversion functionality in psort. At the same time, I would like to see an analyst friendly output that can be easily interpreted.
joachimmetz
commented
6 years ago I am not sure about the automated timeline processing, do you have some ideas?
Timesketch does automated processing of events.
At the same time, I would like to see an analyst friendly output that can be easily interpreted.
"easily" is very subjective, features that make interpretation "easy" for you, might make is "harder" for someone else.
As indicated in #306 l2tcsv supports MACB grouping.
https://digital-forensics.sans.org/media/Poster_Windows_Forensics_2017_WEB.pdf
This is a bad example because anno 2018 it still contains ambiguously formatted date and times, such as "8/12/2013"
Hi, the psort output in Timesketch is quite different from csv. In particular, I would like to see the MACB insted of several events with different explanations like "Content Modification Time" or "Last Access Time". Is it something that can be/will be/is done?