Timesketch - Collaborative Forensic Timeline Analysis Cheatsheet
Timesketch is an open-source tool (by Google) for collaborative forensic timeline analysis. Investigators ingest timestamped data — disk/triage artifacts parsed by Plaso, logs, CSVs — into a “sketch,” then search, filter, tag, comment, and star events on a shared timeline. It is built for DFIR teamwork: multiple analysts work the same incident, share saved searches, and run automated analyzers to surface suspicious activity. It pairs naturally with collection tools like Velociraptor.
Deployment
| Method | Command / Note |
|---|
| Docker Compose (recommended) | follow the official docker-compose deployment in the docs |
| Quick dev install | use the project’s deploy/docker config |
| Create a user | tsctl create-user <username> |
| Add to group | tsctl add-user-to-group ... |
| Web UI | served on the configured host/port after startup |
Timesketch is a server application (Elasticsearch/OpenSearch + PostgreSQL + web UI), not a single binary. Deploy with Docker Compose for the smoothest setup.
Ingesting Data
| Source | How |
|---|
| Plaso storage file | Upload a .plaso file produced by log2timeline.py |
| CSV / JSONL | Upload with the required datetime, message, timestamp_desc columns |
| CLI import | timesketch_importer -u user -p pass --host URL data.csv |
| API import | Use the Python client import_streamer |
Plaso → Timesketch
# Create a super timeline from an image/triage with Plaso, then import
log2timeline.py --storage-file evidence.plaso /mnt/triage
timesketch_importer --host https://ts.example.com \
-u analyst evidence.plaso --sketch_id 1
Searching the Timeline
Timesketch uses an Elasticsearch/Lucene-style query syntax.
| Query | Matches |
|---|
powershell | Events containing the term |
data_type:"windows:evtx:record" | A specific parser data type |
message:*mimikatz* | Wildcard within the message field |
tag:bad | Events you tagged “bad” |
datetime:[2026-06-01 TO 2026-06-02] | A time range |
event_identifier:4624 AND username:admin | Boolean combinations |
Working Events
| Action | Description |
|---|
| Star | Mark events of interest |
| Tag | Apply labels (e.g. bad, suspicious, lateral-movement) |
| Comment | Add investigator notes to an event |
| Saved search | Store a query for reuse / sharing |
| Story | Write a narrative that embeds saved searches and findings |
Analyzers
Analyzers run automatically over a timeline to flag patterns.
| Analyzer | Surfaces |
|---|
| Browser search / artifacts | Web activity of interest |
| Login/Windows events | Authentication anomalies |
| Sigma | Matches Sigma detection rules against events |
| Yet, threat intel feeds | Known-bad indicators |
| Tagger | Auto-tags events by rules |
| Task | How |
|---|
| Run an analyzer | Trigger from the UI or API on a timeline |
| Sigma rules | Manage rules so the Sigma analyzer can match them |
| Aggregations | Build charts (e.g. events over time, top users) |
API / Automation
from timesketch_api_client import client
ts = client.TimesketchApi("https://ts.example.com", "analyst", "password")
sketch = ts.get_sketch(1)
for event in sketch.explore("tag:bad", as_pandas=True).itertuples():
print(event.message)
Common Workflows
# Build a super timeline from triage output and load it into a sketch
log2timeline.py --storage-file case.plaso /evidence
timesketch_importer -u analyst case.plaso --sketch_id 5
# In the UI: search for suspicious activity, tag findings, write a Story
# message:*mimikatz* → tag "credential-access" → add to Story
| Aspect | Timesketch | Plaso (log2timeline) | Splunk |
|---|
| Role | Collaborative analysis UI | Timeline generation | SIEM/log analytics |
| Collaboration | First-class (sketches, stories) | None (CLI) | Team dashboards |
| Input | Plaso, CSV, JSONL | Filesystem/artifacts | Forwarders/indexes |
| Best for | Team DFIR timeline review | Producing the timeline | Broad enterprise logging |
Resources
