Add timeline view

[hiddenillusion]

Having the analyze output filter is useful for summarizing the events from the triage collection; however, a timeline view would also be extremely beneficial.

There are plenty of timestamps being parsed ('creation_utc', 'ctime', 'last_access_utc', 'last_visit_time', 'mtime', 'scan_date', 'visit_time', 'ZDATE' ... etc.). For any blob that contains one of the predefined timestamps (could declare them in initial scripts or make them datetime objects for dynamic recognition) place the timestamps and any related details determined to be of interest on a line to create a timeline of the events within the triage JSON file. The timeline view helps see the sequence of events unfold which works in conjunction or can replace the output view from analyze output filter as it currents stands.

I can provide example use cases, output renderings & how one might go about doing this is necessary.

[jjsendor]

Thanks for suggesting this idea @hiddenillusion!

So far OSXCollector Output Filters ChromeHistoryFilter and FirefoxHistoryFilter can build a sorted timeline for Chrome and Firefox browser history respectively.

However there is no filter that sorts all of the records. I think the main problem here is to define for each field type an appropriate timestamp against which the records will be sorted. As some of the fields contain more than one timestamps (e.g. mtime and ctime or visit_time and last_visit_time) we'll need to clearly distinguish what is the timestamp for sorting them.

[hiddenillusion]

agreed - my suggestion to tackle that is to take every timestamp for a given record (e.g. mtime, ctime etc.) and determine if there are any duplicates within the timestamps checked.

If so, the record in the timeline view can just reflect that one timestamp, but for say timestamp_type, it would contain mtime, ctime and the rest of the data you choose to display (e.g., file_path).

If the timestamps are unique, then I'd place each of them as their own row in the output and timestamp_type for each of them would be mtime, ctime etc.. This may duplicate the additional details you display on each row, but, from a timeline point-of-view it provides the full sequence of events vs. just showing one of the timestmaps for thee record and then having to sort multiple times.