profile
viewpoint
Bart Inglot binglot @Google, ex-@mandiant /@FireEye Sydney, Australia http://PassionateAboutIS.blogspot.com ⛑ Digital Forensics at Google

google/timesketch 1823

Collaborative forensic timeline analysis

google/cloud-forensics-utils 194

Python library to carry out DFIR analysis on the Cloud

binglot/misc 12

Various scrips

binglot/Bin2Reg 3

A tool for storing binary files in the Windows registry.

binglot/MsAccessRestrictor 3

The application aims at raising productivity at work for those working with Microsoft Access by limiting what the user can do with the application and operating system (e.g. preventing switching between windows, spawning new processes and using short-cuts, among others).

binglot/Cryptoscan 2

It is an updated version of a module created by Jesse Kornblum for the Volatility framework which scans a memory image for TrueCrypt passphrases. The method is described in Brian Kaplan's thesis “RAM is Key, Extracting Disk Encryption Keys From Volatile Memory”, pages 22-23. More on that can be found on the author's blog.

binglot/artifacts 0

Digital Forensics Artifact Repository

binglot/ccl-asl 0

Python Module for parsing Apple ASL Logs

PullRequestReviewEvent
PullRequestReviewEvent
PullRequestReviewEvent
PullRequestReviewEvent
PullRequestReviewEvent
PullRequestReviewEvent
PullRequestReviewEvent

Pull request review commentgoogle/timesketch

Mention two blog post as reading recommendation

 Timesketch is built on multiple sketches, where one sketch is usually one case. Every sketch can consist of multiple timelines with multiple views. +We highly recommend to read two blog post to understand limitations of time and timeline analysis:++- [Lets talk abot time](https://osdfir.blogspot.com/2021/06/lets-talk-about-time.html)

There's a spelling "abot". Otherwise LGTM! :)

jaegeral

comment created time in 4 days

PullRequestReviewEvent

Pull request review commentgoogle/timesketch

Mention Common Windows EventLog question in Docu

 Here are some common searches: | ---------------------------- | ---------------------------------------------------------------- | | EventId 4624 and LogonType 5 | event_identifier:4624 AND "LogonType\">5</Data>"                 | | Windows File path            | "C:\\Users\\foobar\\Download\\folder\ whitespace\\filename.jpeg" |++## Common questions++There is a frequent question around Windows Event logs and how they are represented in Timesketch when imported from Plaso. For that we recommend reading up on [Common misconception aboud Windows EventLogs](https://osdfir.blogspot.com/2021/10/common-misconceptions-about-windows.html)

There's a spelling "aboud". Otherwise LGTM, thanks for sending this over ;)

jaegeral

comment created time in 4 days

PullRequestReviewEvent

push eventbinglot/timesketch

Johan Berggren

commit sha 235dcfc1ee31f2d764eae331b716d5a672d1285e

Migrate to OpenSearch for dev environment (#2083) * Migrate to OpenSearch for dev environment * Update to NodeJS 12.x

view details

garanews

commit sha c7877889de16133fba5d53d31184b6743ae71b8e

fix Timeksketch typo (#2080) Co-authored-by: Alexander J <741037+jaegeral@users.noreply.github.com>

view details

Johan Berggren

commit sha d0865fa67feb02b4992347302f1d7aea4a1a7e5f

Switch to OpenSearch for e2e tests (#2085) * Switch to OpenSearch for e2e tests * Use nodejs 12.x for eslint tests * fix * fix * fix * fix

view details

Johan Berggren

commit sha 232dee4d47871158392fd7770f0937536d6ac7a9

Change search backend to OpenSearch (#2086)

view details

Johan Berggren

commit sha 1cb6b695bbe265594bc8eb15e29b0a3ea5c94bbf

Update install.md

view details

Johan Berggren

commit sha b74fa03ed6f285230a7524188997126597599931

Update scaling-and-limits.md

view details

Johan Berggren

commit sha 2e4d7040d549e991240251f95050a5080b602e19

bugfix (#2089)

view details

Johan Berggren

commit sha 430912b791bad2ca35e21c66fdf9a6b931817aef

Migrate to OpenSearch python client (#2091) * Switch to opensearchpy python client * Refactor * e2e tests * refactor * replace dep * lint * new style super * lint * correct datastore * lint * gh actions refactror * gh actions refactor * gh actions refactor * gh actions refactor * gh actions refactor * gh actions refactor * gh actions refactor * gh ppa * gh ppa * fix docker * fix docker * refactor * fix gh action * update docs * update docs * update dep ini for PPA packages * update * update

view details

Thomas Chopitea

commit sha a2741c7be3d2f508106f4fb474e0cadcebbfffda

Better intelligence view (#2045) * Get rid of the intelligence vs. local * Use state to retrieve attribute data * Fix some litner stuff * Add support for tags in new IOC menu * Minor cosmetic changes * Add edit modal * Rename some things * Save IOC and dismiss modal * Cleaner error handling in RestApiClient * Confirm IOC deletion * Neater layout + Tag section * Add clipboard feature * Add tag and label info features * Remove unnecessary logging * Search for tags, not labels * Do tags instead of labels * Add external references column * Soothe eslint * Adjust trash color * Move from boxes to cards * Change layout and titles * Use ipv4 instead of ip * Documentation update * Fix tests * Update timesketch/frontend/src/views/Intelligence.vue Co-authored-by: Alexander J <741037+jaegeral@users.noreply.github.com> Co-authored-by: Johan Berggren <jberggren@gmail.com>

view details

Yunsong Liu

commit sha 1ce6b60e125d104e6644947c6f1dbe1b82ac76b6

Introduce delete user to tsctl.py (#2069) * adding diable and enable user methods * register methods with flask * documentation for remove user * documentation for remove user * documentation for remove user * documentation for remove user * documentation for remove user * documentation for remove user Co-authored-by: Johan Berggren <jberggren@gmail.com>

view details

binglot

commit sha 421535210cfdd145a528058ecefbb5bcb712d5f7

Merge remote-tracking branch 'upstream/master'

view details

push time in 13 days

delete branch binglot/timesketch

delete branch : issue_2060-isActive_error

delete time in a month

delete branch binglot/timesketch

delete branch : issue_2056-expose_analyzer_logs

delete time in a month

delete branch binglot/timesketch

delete branch : issue_1978-fix_limited_list_of_data_types

delete time in a month

push eventbinglot/timesketch

Thomas Chopitea

commit sha 46c53289f699dbe7b3ec03628cf8970dc7f571a8

Typo (#2070)

view details

binglot

commit sha c761e1a6a2287d46c22317a4f850f54dd39caa11

Merge remote-tracking branch 'upstream/master'

view details

push time in a month

issue commentgoogle/timesketch

UI: Unexpected error about setting 'isActive'

I discussed this with Johan, since the framework for UI components might change (and therefore this work would be a waste of time) I'll pause working on this for now.

binglot

comment created time in a month

push eventbinglot/timesketch

Bart Inglot

commit sha 7cbaade334a290a7b22bc175437cb1df605029c8

Issue 1978: Fix limited list of Data Types (#2055) * Fix #1214 in UI: Display Data Sources per Timeline & Make them Clickable - for each of the timelines it lists of all data sources that it includes - each of these data sources is clickable - have a tick-box next to each of the data sources so that multiple of them can be selected * Added expand/collapse to the Data Source text. * Addressed comments from @berggren * Resolving merge conflict * 1) Fixed the fact that the disabled button 'Show data types' was still clickable. 2) Changed the collapse implementation to use Buefy. * Allow the users to update the time filters that they've created by clicking on them. Also added some UX improvements, such as closing the dropdown when the filter is added/updated, or auto-populating the end time input based on the start time. * Updated the comment about the focus change so it's more intuitive. * Addressed comments from the PR regarding the use of 'refs' instead of traversing the DOM. * Allow users to toggle time filters. * Removed unnecessary comment. * Merge with the upstream * Fixing the merge issues * Improve the UX of Time Filters * Sync with the upstream. * Fixed a bug - if the minus or plus boxes contained '0' then the Create button would be disabled. * Addressed the comments from the Pull Request * Aligned the colours of the 'radio' to blue (from purple). * Update from upstream * Added labels to the common buttons for each of the timeline entries (i.e. star, search, label) and shifted the 'Include/Exclude' buttons for each of the entry rows as some users complained they completely missed them when they were on the right hand side. * Early draft of implementing the vertical dots button in Timeline Chip * Almost there, it all works except that the list of timelines doesn't get re-populated as it should after a timeline is renamed. * Fixed the bug that the timeline chips were out of sync after the rename operation. * Got the color changing feature working. * Refactored and fixed all the bugs I discovered. * The commit hides the Timelines tab. It will need some more work to decouple it from the Overview tab so the Timeline components and the view can be deleted completely. * Addressed review comments from @tomchop, and @jaegeral . * Trying to merge with upstream * The initial commit - the starring/unstarring behavior works but the view doesn't refresh. Need to find out how to force it and the job is done. * Weird issues, these files aren't supposed to be here at all. * The stars update in the UI the way they should be the state reading function is still buggy. * Finally fixed the issue of UI not syncing up. * Bug fix for the Search bar's dropdown. Reset the default aggregation limit from 10 to 1k for the Data Types and Tags. Co-authored-by: Kristinn <kristinn@log2timeline.net> Co-authored-by: Johan Berggren <jberggren@gmail.com>

view details

Alexander J

commit sha 7179a44b670187240c57873745fdcefe6ccf445f

Update import-from-json-csv.md (#2063)

view details

Romain Gayon

commit sha 9e692dc42cf2f66d8bd1050bff531105f7118642

1024 (#2066)

view details

Bart Inglot

commit sha c9e72034d0d52d981105f52032493d4f7533bf03

Expose Analyzer Logs in the Analyzers tab (#2057) * Fix #1214 in UI: Display Data Sources per Timeline & Make them Clickable - for each of the timelines it lists of all data sources that it includes - each of these data sources is clickable - have a tick-box next to each of the data sources so that multiple of them can be selected * Added expand/collapse to the Data Source text. * Addressed comments from @berggren * Resolving merge conflict * 1) Fixed the fact that the disabled button 'Show data types' was still clickable. 2) Changed the collapse implementation to use Buefy. * Allow the users to update the time filters that they've created by clicking on them. Also added some UX improvements, such as closing the dropdown when the filter is added/updated, or auto-populating the end time input based on the start time. * Updated the comment about the focus change so it's more intuitive. * Addressed comments from the PR regarding the use of 'refs' instead of traversing the DOM. * Allow users to toggle time filters. * Removed unnecessary comment. * Merge with the upstream * Fixing the merge issues * Improve the UX of Time Filters * Sync with the upstream. * Fixed a bug - if the minus or plus boxes contained '0' then the Create button would be disabled. * Addressed the comments from the Pull Request * Aligned the colours of the 'radio' to blue (from purple). * Update from upstream * Added labels to the common buttons for each of the timeline entries (i.e. star, search, label) and shifted the 'Include/Exclude' buttons for each of the entry rows as some users complained they completely missed them when they were on the right hand side. * Early draft of implementing the vertical dots button in Timeline Chip * Almost there, it all works except that the list of timelines doesn't get re-populated as it should after a timeline is renamed. * Fixed the bug that the timeline chips were out of sync after the rename operation. * Got the color changing feature working. * Refactored and fixed all the bugs I discovered. * The commit hides the Timelines tab. It will need some more work to decouple it from the Overview tab so the Timeline components and the view can be deleted completely. * Addressed review comments from @tomchop, and @jaegeral . * Trying to merge with upstream * Weird issues, these files aren't supposed to be here at all. * Introduced the Analyzer Logs table in the Analyzers tab. Co-authored-by: Kristinn <kristinn@log2timeline.net> Co-authored-by: Johan Berggren <jberggren@gmail.com>

view details

Alexander J

commit sha 182b62d11281a06434ead38f35df7e92f3ff738e

Add incompatible Sigma rules to the blocklist (#2038) * first attempt * improve testing and error handling * lint * unit tests for blocklist file * lint * Update docs/guides/user/sigma.md Co-authored-by: Johan Berggren <jberggren@gmail.com> * Update timesketch/lib/sigma_util.py Co-authored-by: Johan Berggren <jberggren@gmail.com> * remove block_because_csv * Update docs/guides/user/sigma.md Co-authored-by: Johan Berggren <jberggren@gmail.com>

view details

Alexander J

commit sha cccb5466915d6629ad70d8d19ef5942a6eedff63

Add search examples to the documentation (#2067) * Add search examples to the documentation * Update search-query-guide.md

view details

binglot

commit sha dc8e784175117011f943e095af64e3eb2c2f1de1

Merge remote-tracking branch 'upstream/master'

view details

push time in a month

issue commentgoogle/timesketch

UI: Unexpected error about setting 'isActive'

This commit seems to be at fault: https://github.com/google/timesketch/commit/69a28ffa3d1956045d75d4ed3ef122d949cbaa32

image

binglot

comment created time in a month

issue commentgoogle/timesketch

UI: Unexpected error about setting 'isActive'

I think I found the culprit:

~/timesketch/timesketch/frontend/src$ grep -F 'isActive' -r .
./views/Explore.vue:      this.$refs['NewTimeFilter'].isActive = false
./views/StoryContent.vue:                @mouseover="obj.isActive = true"
./views/StoryContent.vue:                @mouseleave="obj.isActive = false"
./views/StoryContent.vue:                v-bind:class="{ activeBlock: obj.isActive }"
./views/StoryContent.vue:                <span v-if="obj.isActive" style="float:right;">
./views/StoryContent.vue:                @mouseover="obj.isActive = true"
./views/StoryContent.vue:                @mouseleave="obj.isActive = false"
./views/StoryContent.vue:                <div v-if="index === blocks.length - 1 || obj.showPanel || obj.isActive" class="field is-grouped">
./views/StoryContent.vue:    isActive: false,
./views/StoryContent.vue:        block.isActive = false
~/timesketch/timesketch/frontend/src$ grep -F 'NewTimeFilter' -r .
./views/Explore.vue:      this.$refs['NewTimeFilter'].isActive = false
~/timesketch/timesketch/frontend/src$
binglot

comment created time in 2 months

create barnchbinglot/timesketch

branch : issue_2060-isActive_error

created branch time in 2 months

issue openedgoogle/timesketch

UI: Unexpected error about setting 'isActive'

Describe the bug After adding a time filter, the Console in Dev Tools shows the following 2 errors:

vue.runtime.esm.js?2b0e:619 [Vue warn]: Error in v-on handler: "TypeError: Cannot set properties of undefined (setting 'isActive')"

found in

---> <TsExploreFilterTime> at src/components/Explore/TimeFilter.vue
       <BDropdownItem>
         <BDropdown>
           <TsDropdown> at src/components/Common/Dropdown.vue
             <Explore> at src/views/Explore.vue
               <Sketch> at src/views/Sketch.vue
                 <App> at src/App.vue
                   <Root>
TypeError: Cannot set properties of undefined (setting 'isActive')
    at VueComponent.hideDropdown (Explore.vue?7c15:648)
    at invokeWithErrorHandling (vue.runtime.esm.js?2b0e:1863)
    at VueComponent.invoker (vue.runtime.esm.js?2b0e:2188)
    at invokeWithErrorHandling (vue.runtime.esm.js?2b0e:1863)
    at VueComponent.Vue.$emit (vue.runtime.esm.js?2b0e:3903)
    at VueComponent.submit (TimeFilter.vue?65a1:343)
    at invokeWithErrorHandling (vue.runtime.esm.js?2b0e:1863)
    at HTMLButtonElement.invoker (vue.runtime.esm.js?2b0e:2188)
    at HTMLButtonElement.original._wrapper (vue.runtime.esm.js?2b0e:6961)

To Reproduce Steps to reproduce the behavior:

  1. Go to 'Explore' tab (the Search bar is empty)
  2. Add a time filter (e.g. "2018-05-16T19:33:48" and +/- 5min)
  3. See error

created time in 2 months

pull request commentgoogle/timesketch

Issue 2056: Expose Analyzer Logs in the Analyzers tab

The implementation is not ideal because it loops over all the timelines and issues the API call for each of them, one after another. Ideally, there should be 1 API that accounts for all timelines, but that required more code changes so I left it.

binglot

comment created time in 2 months

pull request commentgoogle/timesketch

Issue 2056: Expose Analyzer Logs in the Analyzers tab

With log entries:

image

Without log entries:

image

binglot

comment created time in 2 months

PR opened google/timesketch

Issue 2056: Expose Analyzer Logs in the Analyzers tab Feature request UI/UX Small effort

closes #2056

+38 -12

0 comment

4 changed files

pr created time in 2 months

push eventbinglot/timesketch

binglot

commit sha d91e96ccbdeaa5d87d312909ba28bc50c1c980e5

Introduced the Analyzer Logs table in the Analyzers tab.

view details

push time in 2 months

create barnchbinglot/timesketch

branch : issue_2056-expose_analyzer_logs

created branch time in 2 months

issue openedgoogle/timesketch

UI: Expose the Analyzer Logs in the Analyzers tab

Is your feature request related to a problem? Please describe. At the moment, the only way to get to the analyzer logs is through the Explore view, by clicking on the 3-dots menu for a timeline. It's therefore easy for a user to not realise that this feature exists.

Describe the solution you'd like Introduce the Analyzer Logs table at the top of the Analyzers tab.

created time in 2 months

push eventbinglot/timesketch

binglot

commit sha 3e8c3bdd5a512ef2920a38ca930569fb331cf38e

Bug fix for the Search bar's dropdown. Reset the default aggregation limit from 10 to 1k for the Data Types and Tags.

view details

push time in 2 months

more