https://github.com/jeffbryner/timeboss

UI for forensic filtering of filesystem mac times.
https://github.com/jeffbryner/timeboss

Last synced: 2 months ago
JSON representation

UI for forensic filtering of filesystem mac times.

• Host: GitHub
• URL: https://github.com/jeffbryner/timeboss
• Owner: jeffbryner
• License: other
• Created: 2013-01-04T02:20:38.000Z (about 12 years ago)
• Default Branch: master
• Last Pushed: 2020-05-14T16:12:01.000Z (over 4 years ago)
• Last Synced: 2024-04-17T07:13:57.831Z (9 months ago)
• Language: Python
• Size: 285 KB
• Stars: 15
• Watchers: 3
• Forks: 2
• Open Issues: 0
• Metadata Files:
  • Readme: README
  • License: COPYING

Awesome Lists containing this project

README

        
timeBoss

A UI for forensic filtering of filesystem time line files from mactime or log2timeline. 

What? 

    If you've used the sleuthkit to create filesystem timelines

    you know that the result is a treasure-trove of information. 

    

    However, it's usually plain text and difficult to parse beyond

    simple greps without some tools. 

    

    timeBoss is a UI built with python and kivy that makes use of 

    pandas dataframes with timestamp indexing to filter the timeline

    into usable bits. 

    

Install? 

    prerequesites: 

    python 2.7

    pandas: pip install pandas

    kivy: pip install kivy

    

Run? 

    Video Demo: http://www.youtube.com/watch?v=4Km_FR-Esk8

    python main.py from whatever directory you've downloaded the project to. 

    

    You'll be presented with a file open dialog. Pick a timeline file generated 

    to .csv format ala: 

    

     

    fls -f ntfs -m / -r sda1.dd > sda1.dd.macs

    ils -f ntfs -m  sda1.dd >> sda1.dd.macs

    mactime -b sda1.macs -d > sda1.mactime.csv

    

    Or use your favorite method to create log2timeline .csv file.

    

Usage:     

    Once opened (typical win7 install is 20MB worth of macs, 30secs to open)

    you'll see the main interface with years at the bottom, search at the top. 

    

    Click a year and you'll see the time entries for that year. 

Filtering: 

    You can search a display by typing something (.exe for example) and pressing

    return.

    Filtering is cumulative. Search 'deleted' and you'll see all deleted files. Search again for 'exe' and you'll

    see only deleted 'exe' files. 

    Enter any recognizable date (1/1, 1/1/2000, 4am, Aug 1st, etc) range in the start/end date field to filter results within that range.

    

    You can search a field by entering 

        field: search

    i.e. to search the Format field of a log2timeline file enter format: iehistory

    

    You can negate a search with ! 

        ! format: iehistory

    

    Scroll the list or the years by left clicking and dragging or via mouse

    wheel. 

    

Next? 

    This is an early release..feedback welcome!