timeBoss

timeBoss copied to clipboard

timeBoss

A UI for forensic filtering of filesystem time line files from mactime or log2timeline.

What? If you've used the sleuthkit to create filesystem timelines you know that the result is a treasure-trove of information.

However, it's usually plain text and difficult to parse beyond
simple greps without some tools. 

timeBoss is a UI built with python and kivy that makes use of 
pandas dataframes with timestamp indexing to filter the timeline
into usable bits. 

Install? prerequesites: python 2.7 pandas: pip install pandas kivy: pip install kivy

Run? Video Demo: http://www.youtube.com/watch?v=4Km_FR-Esk8

python main.py from whatever directory you've downloaded the project to. 

You'll be presented with a file open dialog. Pick a timeline file generated 
to .csv format ala: 

<assuming a dd disk image of an ntfs drive named sda1.dd> 
fls -f ntfs -m / -r sda1.dd > sda1.dd.macs
ils -f ntfs -m  sda1.dd >> sda1.dd.macs
mactime -b sda1.macs -d > sda1.mactime.csv

Or use your favorite method to create log2timeline .csv file.

Usage:
Once opened (typical win7 install is 20MB worth of macs, 30secs to open) you'll see the main interface with years at the bottom, search at the top.

Click a year and you'll see the time entries for that year. 

Filtering: You can search a display by typing something (.exe for example) and pressing return.

Filtering is cumulative. Search 'deleted' and you'll see all deleted files. Search again for 'exe' and you'll
see only deleted 'exe' files. 

Enter any recognizable date (1/1, 1/1/2000, 4am, Aug 1st, etc) range in the start/end date field to filter results within that range.

You can search a field by entering 
    field: search
i.e. to search the Format field of a log2timeline file enter format: iehistory

You can negate a search with ! 
    ! format: iehistory


Scroll the list or the years by left clicking and dragging or via mouse
wheel. 

Next? This is an early release..feedback welcome!