profile
viewpoint
Thomas Chopitea tomchop Zürich, Switzerland http://tomchop.me

google/timesketch 1823

Collaborative forensic timeline analysis

google/keytransparency 1562

A transparent and secure way to look up public keys.

certsocietegenerale/FIR 1370

Fast Incident Response

tomchop/malcom 1019

Malcom - Malware Communications Analyzer

google/turbinia 519

Automation and Scaling of Digital Forensics Tools

google/docker-explorer 379

A tool to help forensicate offline docker acquisitions

google/cloud-forensics-utils 194

Python library to carry out DFIR analysis on the Cloud

log2timeline/dftimewolf 176

A framework for orchestrating forensic collection, processing and data export

certsocietegenerale/event2timeline 129

Simple Microsoft Windows sessions event logs visualization

google/GiftStick 114

1-Click push forensics evidence to the cloud

push eventyeti-platform/yeti-feeds-frontend

Thomas Chopitea

commit sha 673d3819488fabef99be7b07e79bd9e8b1eaf4f8

Better time formatting

view details

push time in a day

push eventyeti-platform/yeti-feeds-frontend

Thomas Chopitea

commit sha 106978f0bc2962b0ced32247a4d8cc4c5dda2236

Update colors

view details

Thomas Chopitea

commit sha 17d7f47b51dafa97c962259e37e9bf8ea6303fd1

Better time formatting

view details

push time in a day

issue openedyeti-platform/yeti-feeds-frontend

Investigation view

created time in 2 days

push eventlog2timeline/dftimewolf

Theo

commit sha 18b4d0760d6a6ca378ac06c2242d04a0d8caf072

Update metawolf's doc (#497) * Update metawolf's doc Signed-off-by: Theo Giovanna <gtheo@google.com> * Fix transcripts Signed-off-by: Theo Giovanna <gtheo@google.com> * pylint Signed-off-by: Theo Giovanna <gtheo@google.com>

view details

push time in 3 days

PR merged log2timeline/dftimewolf

Update metawolf's doc

Signed-off-by: Theo Giovanna gtheo@google.com

+203 -202

0 comment

13 changed files

giovannt0

pr closed time in 3 days

PullRequestReviewEvent

push eventlog2timeline/dftimewolf

Ramo

commit sha 25aaa6e07ffc5187f3fa8f7eea5808bf67ab9595

Consolidate TimesketchExporter and TimesketchExporterThreaded (#494) * Consolidate TimesketchExporter and TimesketchExporterThreaded * Linter appeasement * PR suggestions * PR suggestions

view details

push time in 3 days

PR merged log2timeline/dftimewolf

Consolidate TimesketchExporter and TimesketchExporterThreaded

Final step of the upgrade of the TimesketchExporter module.

The diff doesn't show this very well, but it's basically $ git mv -f timesketch_tam.py timesketch.py

+106 -468

1 comment

9 changed files

ramo-j

pr closed time in 3 days

PullRequestReviewEvent
PullRequestReviewEvent

push eventtomchop/timesketch

Thomas Chopitea

commit sha e9520ebd9074a12b7f52f577f9b1c898d2369eb6

Fix linter and add extra test

view details

push time in 3 days

push eventtomchop/timesketch

Thomas Chopitea

commit sha 3359c04f3ee222167ff3bdf824938feb99763c47

Add some tests

view details

Thomas Chopitea

commit sha 9b0e29adb2051b099a6093a3f3f68c6d3c79f840

Move documentation to dedicated markdown file.

view details

push time in 3 days

push eventtomchop/timesketch

Jonathan Greig

commit sha 43ec555d1331e277dce7154103451cb63bfe6984

Sketch attributes deleted via the API cannot be re-added by an analyzer (#2101) Fixes #2051

view details

Jonathan Greig

commit sha 520118d3b87a06726597fd39409a39aafe57293f

GCP Logging Analyzer (#2079) * Init new analyzer outline * Remove old run logic * Add functionality to analyzer * Fix up comment * Add tags for compute service account * Add tags on compute metadata changes * Fix linter errors * Removed workarounds for issues/2051 * Remove Python 2 compatibility import * Added tags for more method names * Add TODOs for not adding duplicate attributes * Update timesketch/lib/analyzers/gcp_logging.py * Update timesketch/lib/analyzers/gcp_logging.py Co-authored-by: Johan Berggren <jberggren@gmail.com>

view details

Thomas Chopitea

commit sha 5d4d8d1b42944f9cb41a40eb642a9d0b2339a9a6

Add intelligence to the navbar (#2106) Co-authored-by: Johan Berggren <jberggren@gmail.com>

view details

Ramo

commit sha 65534251e37187fd85f05700da63064fa9ef499d

Added permissions change to opensearch data directory (#2110) * Added permissions change to opensearch data directory * Update contrib/deploy_timesketch.sh Co-authored-by: Johan Berggren <jberggren@gmail.com>

view details

Thomas Chopitea

commit sha bc71be6d1dc4b19aef2e282fa5b2f77c0651a91d

Merge branch 'master' into tag-analyzer

view details

push time in 3 days

PR opened google/timesketch

Dynamic tags in tagger analyzer

This pull request adds the ability for the tagger analyzer to add tags to events derived from data in the event attributes.

Which event eattribute to tag the event with is specified by prefixing a tag with $. $yara_match will tag the selected event with the value of the yara_match attribute of the event.

Additionally, simple transforms to extracted values can be applied using the modifiers attribute in tags.yaml. In this PR, we introduce a very simple modifier that splits the event attribute string on space (' ')

yara_match_tagger:
  query_string: '_exists_:yara_match AND NOT yara_match.keyword:"-"'
  tags: ['yara', '$yara_match']
  modifiers: ['split']
  save_search: true
  search_name: 'Yara rule matches'

This tagger config will split the value of yara_match on spaces, and tag the event with the resulting values. If the value of yara_match is rule1 rule2 (as plaso outputs it), then tags yara (static), rule1 and rule2 will be applied.

+80 -5

0 comment

3 changed files

pr created time in 3 days

create barnchtomchop/timesketch

branch : tag-analyzer

created branch time in 3 days

delete branch tomchop/timesketch

delete branch : docs

delete time in 4 days

PR opened google/timesketch

Add intelligence page to user guide

Add the intelligence page to the User Guide menu

+1 -0

0 comment

1 changed file

pr created time in 5 days

create barnchtomchop/timesketch

branch : docs

created branch time in 5 days

MemberEvent

push eventlog2timeline/dftimewolf

Daniel White

commit sha 7b6da4cd36fd4b61a748320b99ed99a4f7763eaa

Improve handling of workspace logs with unknown types and Workspace log timeline names (#434) * Changes after review * Fix import * Always downcase parameter names * Always downcase parameter names * Handle Workspace logs with unknown types, improve naming of Workspace log timelines in Timesketch * Fix typing * Changes after review * Force convert actor and value strings

view details

push time in 5 days

issue closedlog2timeline/dftimewolf

Workspace logs - timeline title

The workspace logs sets its title like this:

timeline_name = 'Workspace {0:s} logs {1:s} {2:s}"'.format(
        logs_container.application_name, logs_container.user_key,
        logs_container.filter_expression)

But logs_container.user_key seems to always be emtpy. It would be nice to get that information in the timeline name.

closed time in 5 days

berggren
PullRequestReviewEvent
PullRequestReviewEvent

Pull request review commentlog2timeline/dftimewolf

Improve handling of workspace logs with unknown types and Workspace log timeline names

 def _AddMessageString(self, timesketch_record: Dict[str, Any]) -> None:           actor = (timesketch_record.get('actor_email') or                    timesketch_record.get('actor_profileId') or                    timesketch_record.get('actor_key'))-          message += '"{0:s}"'.format(actor)+          message += '{0:s}'.format(actor)           continue         value = timesketch_record.get(field)         if not value:           value = timesketch_record.get(field.lower())         if not value:           value = ''-        message += '"{0:s}"'.format(value)+        message += '{0:s}'.format(value)

Same comment as above.

Onager

comment created time in 6 days

Pull request review commentlog2timeline/dftimewolf

Improve handling of workspace logs with unknown types and Workspace log timeline names

 def _AddMessageString(self, timesketch_record: Dict[str, Any]) -> None:           actor = (timesketch_record.get('actor_email') or                    timesketch_record.get('actor_profileId') or                    timesketch_record.get('actor_key'))-          message += '"{0:s}"'.format(actor)+          message += '{0:s}'.format(actor)

Then we want something like str(actor) or '{0!s}.format(actor)', no?

Onager

comment created time in 6 days

PullRequestReviewEvent

delete branch tomchop/timesketch

delete branch : betterintel

delete time in 7 days

push eventtomchop/timesketch

Johan Berggren

commit sha 430912b791bad2ca35e21c66fdf9a6b931817aef

Migrate to OpenSearch python client (#2091) * Switch to opensearchpy python client * Refactor * e2e tests * refactor * replace dep * lint * new style super * lint * correct datastore * lint * gh actions refactror * gh actions refactor * gh actions refactor * gh actions refactor * gh actions refactor * gh actions refactor * gh actions refactor * gh ppa * gh ppa * fix docker * fix docker * refactor * fix gh action * update docs * update docs * update dep ini for PPA packages * update * update

view details

Thomas Chopitea

commit sha a2741c7be3d2f508106f4fb474e0cadcebbfffda

Better intelligence view (#2045) * Get rid of the intelligence vs. local * Use state to retrieve attribute data * Fix some litner stuff * Add support for tags in new IOC menu * Minor cosmetic changes * Add edit modal * Rename some things * Save IOC and dismiss modal * Cleaner error handling in RestApiClient * Confirm IOC deletion * Neater layout + Tag section * Add clipboard feature * Add tag and label info features * Remove unnecessary logging * Search for tags, not labels * Do tags instead of labels * Add external references column * Soothe eslint * Adjust trash color * Move from boxes to cards * Change layout and titles * Use ipv4 instead of ip * Documentation update * Fix tests * Update timesketch/frontend/src/views/Intelligence.vue Co-authored-by: Alexander J <741037+jaegeral@users.noreply.github.com> Co-authored-by: Johan Berggren <jberggren@gmail.com>

view details

Yunsong Liu

commit sha 1ce6b60e125d104e6644947c6f1dbe1b82ac76b6

Introduce delete user to tsctl.py (#2069) * adding diable and enable user methods * register methods with flask * documentation for remove user * documentation for remove user * documentation for remove user * documentation for remove user * documentation for remove user * documentation for remove user Co-authored-by: Johan Berggren <jberggren@gmail.com>

view details

Alexander J

commit sha 9ae29b88468e13600f6b7a7530d2f57182ba1c51

2033 sigma date unittest (#2100) * add unit test for data format * add it to the documents * lint * more tests

view details

Martin Eigenbrodt

commit sha ad926c1c1c7ce034f2d3dc577711b1609565f748

bugfix 2097 (#2099) Co-authored-by: Alexander J <741037+jaegeral@users.noreply.github.com>

view details

push time in 7 days

delete branch tomchop/dftimewolf

delete branch : yara

delete time in 7 days

more