Building Incident Timeline With Timesketch

Architecture and Components

Core Components

• Timesketch Server: Web application with REST API for timeline management
• OpenSearch/Elasticsearch: Backend storage and search engine for timeline events
• PostgreSQL: Metadata storage for sketches, stories, and user data
• Redis: Task queue management for background processing
• Celery Workers: Asynchronous processing of timeline uploads and analyzers

Data Flow

Evidence Sources --> Plaso/log2timeline --> Plaso storage file (.plaso)
     |                                           |
     v                                           v
  CSV/JSONL --> Timesketch Importer --> OpenSearch Index
                                           |
                                           v
                                    Timesketch Web UI
                                    (Search, Analyze, Story)

Deployment

Docker Deployment (Recommended)

# Clone Timesketch repository
git clone https://github.com/google/timesketch.git
cd timesketch

# Run deployment helper script
cd docker
sudo docker compose up -d

# Default access: https://localhost:443
# Admin credentials generated during first run

System Requirements

• Minimum 8 GB RAM (16+ GB recommended for large investigations)
• 4 CPU cores minimum
• SSD storage for OpenSearch indices
• Docker and Docker Compose installed

Data Ingestion Methods

Method 1: Plaso Integration (Comprehensive)

# Process disk image with log2timeline
log2timeline.py --storage-file evidence.plaso /path/to/disk/image

# Process Windows event logs
log2timeline.py --parsers winevtx --storage-file windows_events.plaso /path/to/evtx/

# Process multiple evidence sources
log2timeline.py --parsers "winevtx,prefetch,amcache,shimcache,userassist" \
  --storage-file full_analysis.plaso /path/to/mounted/image/

# Import Plaso file into Timesketch
timesketch_importer -s "Case-2025-001" -t "Endpoint-WKS01" evidence.plaso

Method 2: CSV Import (Quick Ingestion)

message,datetime,timestamp_desc,source,hostname
"User login detected","2025-01-15T08:30:00Z","Event Recorded","Security Log","DC01"
"PowerShell execution","2025-01-15T08:31:15Z","Event Recorded","PowerShell","WKS042"

# Import CSV directly
timesketch_importer -s "Case-2025-001" -t "Quick-Triage" events.csv

Method 3: JSONL Import (Structured Data)

{"message": "Suspicious logon from 10.1.2.3", "datetime": "2025-01-15T08:30:00Z", "timestamp_desc": "Event Recorded", "source_short": "Security", "hostname": "DC01"}

Method 4: Sigma Rule Integration

# Upload Sigma rules for automated detection
timesketch_importer --sigma-rules /path/to/sigma/rules/

Analysis Workflow

Step 1: Create Investigation Sketch

1. Log into Timesketch web interface
2. Create new sketch (investigation case)
3. Add relevant timelines to the sketch
4. Set sketch description and tags

Step 2: Run Built-in Analyzers

Timesketch includes analyzers that automatically identify:

• Browser Search Analyzer: Extracts search queries from browser history
• Chain of Events Analyzer: Links related events (download -> execute)
• Domain Analyzer: Extracts and categorizes domain names
• Feature Extraction Analyzer: Identifies IPs, URLs, hashes
• Geo Location Analyzer: Maps events to geographic locations
• Similarity Scorer: Finds similar events across timelines
• Sigma Analyzer: Matches events against Sigma detection rules
• Account Finder: Identifies user account activity patterns
• Tagger: Applies labels based on predefined rules

Step 3: Search and Filter

# Search examples in Timesketch query language

# Find all events related to specific user
source_short:Security AND message:"john.admin"

# Find PowerShell execution events
data_type:"windows:evtx:record" AND event_identifier:4104

# Find lateral movement indicators
source_short:Security AND event_identifier:4624 AND xml_string:"LogonType\">3"

# Find events within specific time range