Timesketch
Using the artemis API you may timeline artifacts and optionally upload to Timesketch for analysis.
Timesketch is an open source timeline analysis web application created by Google.
In order to upload data to Timesketch you will first need to timeline the data.
Currently artemis provides a simple function to help timeline artifacts it can parse: timelineArtifact.
Just like uploading to the cloud currently artemis does not securely protect credentials used to authenticate to Timesketch.
This is important. Timesketch has very limited support for any kind of account permissions. If you create an account for artemis and an unauthorized user obtains the credentials for the account they will be able upload, delete, etc any data uploaded by artemis.
If you do not want to expose Timesketch credentials, you can timeline the data to a local directory, network share, or external drive. Then upload the data using an alternative tool.
A sample script below shows how to pull a process listing and upload to Timesketch.
import { hostname, processListing } from "../../Projects/artemis-api/mod.ts";
import { Timesketch } from "../../Projects/artemis-api/src/timesketch/client.ts";
import {
TimesketchAuth,
TimesketchAuthType,
} from "../../Projects/artemis-api/types/timesketch/client.ts";
import { TimesketchArtifact } from "../../Projects/artemis-api/types/timesketch/timeline.ts";
async function main() {
const results = processListing(true, false, false, true);
console.log(results.length);
const auth: TimesketchAuth = {
url: "http://192.168.1.193",
username: "sketchy",
password: "password",
verify_ssl: false,
auth_type: TimesketchAuthType.CREDS,
sketch_id: 1,
};
// Name of timeline
const host = hostname();
// Create a Timesketch client
const client = new Timesketch(auth, host);
const status = await client.timelineAndUpload(
results,
TimesketchArtifact.PROCESSESS,
);
console.log(status);
}
main();
A quick walkthrough for this script:
async function main()Since uploading to Timesketch is an async operation, out script has to use asyncprocessListing(true, false, false, true);Pull a process listing using artemis- Initialize the Timesketch client.
const auth: TimesketchAuth = {
url: "http://192.168.1.193",
username: "sketchy",
password: "password", // Reminder!: Artemis currently does not safely protect credentials
verify_ssl: false,
auth_type: TimesketchAuthType.CREDS,
sketch_id: 1, // Optional
};
Specifying the sketch_id is optional. If you do not provide one, artemis will create a new sketch
-
new Timesketch(auth, host);Create our Timesketch client using the auth object above and system hostname for the timeline name. -
Timeline and upload the data to Timesketch!
const status = await client.timelineAndUpload(
results,
TimesketchArtifact.PROCESSESS,
);
Artemis can only execute JavaScript code. You will need to create a build.ts script before you can run this example.
Limitations and Possible Issues
Timesketch is primarily used to ingest Plaso files. While it has support for uploading other files (csv, excel sheets, and JSONL) it expects that data to be uploaded from either:
- WebUI
- Python API library
Since TypeScript is used for the artemis API, our Timesketch client is created from scratch with the goal of trying to replicate the upload features of the Python API library
Some known limitations that have been observed:
- Timelines get renamed.
- Possible slowness if a timeline has alot of data sources
Possible workarounds:
- Timeline your data to JSONL files. Combine them into one JSONL file. Then upload via WebUI