Adding Timeline Events for custom ARTIFACT_TYPE

Hello together,

I am currently trying to modify some plugins to post to the timeline. One example is the windows internals plugin by Marc McKinnon (https://github.com/markmckinnon/Autopsy-Plugins/tree/master/Windows_Internals). For example you could add an event to the timeline for every execution of a .exe found in a prefetch file. The way I managed to add an event to the timeline is by creating a second artifact of type TSK_TL_EVENT and posting it separately, since it seems that only certain artifact types get automatically converted into an event (due to their capability of generating the description and determining the TimeLineEventType). How could you create an event for a custom artifact type so that you can right click the event in the normal browser, hit “Show Results in Timeline…” and see them from there. Best would be without modification of TSK or Autopsy themselves, just by using the plugin. The only way I can imagine is to change values in the database, that the artifact id for the event to point to the blackboard artifact.

Best Regards,

Dennis

For the first pass of this new design, we support only TL_EVENT and a hard coded list of artifacts. We didn’t get anything in place to support custom artifact types.

Is there an existing artifact type that you are using that can have hard coded support added for? TimelineEventType has a list of artifacts that are currently supported.

There is no particular artifact type I wish to be implemented. I planned to use custom artifact types for every plugin. The nicest way for me would be to give my custom artifacts the attribute TSK_TL_EVENT_TYPE, a timestamp and a description. Would something like this be possible? Since I am planning ahead for at least 1 year, i would implement it depending on the plan of the developers.