I’m interested in using Autopsy for Windows forensics. I’m currently playing with the plugins from https://github.com/markmckinnon/Autopsy-Plugins. One thing that bothers me is the missing integration into Autopsy’s timeline view. None of the plugins I tried does this, so I guess it’s not possible.
Is my assumption correct? If not, I would put some work into updating existing plugins to make use of the timeline. It would be nice if someone could give me a hint on how to add entries to the timeline database from a ingestion or data source plugin.
The timeline receives application events from the SleuthKit when it adds files and from the blackboard when ingest modules add artifacts. Timeline processes these events by creating timeline events for the files and artifacts. Direct interaction between the timeline and the ingest modules was not really intended when we developed the timeline. What is it that you feel is missing from the timeline?
I would like to have data from Windows Event Logs, AmCache, Jump Lists etc. integrated into the timeline and I’m trying to figure out a way to do this, if it’s possible at all.
If I understood you correctly an ingest module can add artifacts to the blackboard which then end up in the timeline. This sounds like the solution to my problem. I found a nice example that uses the blackboard. But I also found this post which states that custom artifact types aren’t possible at the moment. I’m not sure what capabilities the existing artifact types have and if I my idea really requires custom artifact types. What’s your opinion?
At this point the only way to to get something into the timeline that is not already predefined is to create a second Artifact of TSK_TL_EVENT that has the attributes TSK_DATETIME and TSK_DESCRIPTION. Once that is complete then call Blackboard.postArtifact() which will add the artifact to the timeline. In the near future there will be a TSK_PROG_RUN artifact in the timeline so you would be able to create the artifact with the proper attributes and call Blackboard.postArtifact() to get it into the timeline for anything dealing with program execution.
This sounds promising. I will try to come up with a PoC in the next weeks and report back. Thanks for your help!