Getting started¶
Installation¶
Ideally you’ll want to install dftimewolf in its own virtual environment. We
leverage pipenv
for that.
$ pip install pipenv
$ git clone https://github.com/log2timeline/dftimewolf.git && cd dftimewolf
$ pipenv install -e .
Attention
If you want to leverage other modules such as log2timeline, you'll have to install them separately and make them available in your virtual environment.
Then use pipenv shell
to activate your freshly created virtual environment.
You can then invoke the dftimewolf
command from any directory.
You can still use python setup.py install
or pip install -e .
if you’d rather
install dftimewolf this way.
Quick how-to¶
dfTimewolf is typically run by specifying a recipe name and any arguments the recipe defines. For example:
$ dftimewolf local_plaso /tmp/path1,/tmp/path2 --incident_id 12345
This will launch the local_plaso recipe against path1
and path2
in /tmp
. In this
recipe --incident_id
is used by Timesketch as a sketch description.
Details on a recipe can be obtained using the standard python help flags:
$ dftimewolf -h
usage: dftimewolf [-h]
{grr_huntresults_plaso_timesketch,local_plaso,...}
Available recipes:
local_plaso Processes a list of file paths using plaso and sends results to Timesketch.
positional arguments:
{grr_huntresults_plaso_timesketch,local_plaso,...}
optional arguments:
-h, --help show this help message and exit
To get more help on a recipe’s specific flags, specify a recipe name before
the -h
flag:
$ dftimewolf local_plaso -h
usage: dftimewolf local_plaso [-h] [--incident_id INCIDENT_ID]
[--sketch_id SKETCH_ID]
paths
Analyze local file paths with plaso and send results to Timesketch.
- Collectors collect from a path in the FS
- Processes them with a local install of plaso
- Exports them to a new Timesketch sketch
positional arguments:
paths Paths to process
optional arguments:
-h, --help show this help message and exit
--incident_id INCIDENT_ID
Incident ID (used for Timesketch description)
(default: None)
--sketch_id SKETCH_ID
Sketch to which the timeline should be added (default:
None)