ilyaglow/volatility_to_timesketch.py

## volatility_to_timesketch.py
#!/usr/bin/env python3
#
# Converter based on volatility timeliner json output
# you need to install python-dateutil to use it:
# pip3 install python-dateutil --user
#
# Volatility json output has following columns:
# [u'Start', u'Header', u'Item', u'Details']
#
# The data row:
# [u'2015-11-24 21:12:38 UTC+0000', u'[PROCESS]', u' smss.exe',
# u' PID: 328/PPID: 4/POffset: 0x1005fa900']
#
# Mandatory timesketch fields:
# message,timestamp,datetime,timestamp_desc
#
# How I map those fields:
# Item -> message, Start -> timestamp, Start -> datetime,
# Header -> timestamp_desc, Details -> details
#

import json
import sys
import csv
import time
import dateutil.parser as parser


USAGE = """
    ./volatility_to_timesketch.py INPUTFILE OUTPUTFILE

    INPUTFILE is volatility's timeliner output file (JSON type)
    OUTPUTFILE is the result CSV file ready to import to Timesketch
"""


def converter(row):
    timestamp = 0
    datetime = '1970-01-01T00:00:00Z'

    if row[0] != '-':
        date = parser.parse(row[0])
        timestamp = time.mktime(date.timetuple())*1000000
        datetime = date.isoformat()

    message = row[2]
    timestamp_desc = row[1].lstrip('[').rstrip(']')
    details = row[3]

    return [message, timestamp, datetime, timestamp_desc, details]


if __name__ == '__main__':
    if len(sys.argv) < 3:
        print(USAGE)
        exit(1)

    with open(sys.argv[1]) as f:
        vol_timeliner = json.load(f)

    with open(sys.argv[2], 'w') as o:
        ts_writer = csv.writer(o)

        ts_writer.writerow(['message',
                            'timestamp',
                            'datetime',
                            'timestamp_desc',
                            'details'])

        for row in vol_timeliner['rows']:
            ts_writer.writerow(converter(row))
	#!/usr/bin/env python3
	#
	# Converter based on volatility timeliner json output
	# you need to install python-dateutil to use it:
	# pip3 install python-dateutil --user
	#
	# Volatility json output has following columns:
	# [u'Start', u'Header', u'Item', u'Details']
	#
	# The data row:
	# [u'2015-11-24 21:12:38 UTC+0000', u'[PROCESS]', u' smss.exe',
	# u' PID: 328/PPID: 4/POffset: 0x1005fa900']
	#
	# Mandatory timesketch fields:
	# message,timestamp,datetime,timestamp_desc
	#
	# How I map those fields:
	# Item -> message, Start -> timestamp, Start -> datetime,
	# Header -> timestamp_desc, Details -> details
	#

	import json
	import sys
	import csv
	import time
	import dateutil.parser as parser


	USAGE = """
	./volatility_to_timesketch.py INPUTFILE OUTPUTFILE

	INPUTFILE is volatility's timeliner output file (JSON type)
	OUTPUTFILE is the result CSV file ready to import to Timesketch
	"""


	def converter(row):
	timestamp = 0
	datetime = '1970-01-01T00:00:00Z'

	if row[0] != '-':
	date = parser.parse(row[0])
	timestamp = time.mktime(date.timetuple())*1000000
	datetime = date.isoformat()

	message = row[2]
	timestamp_desc = row[1].lstrip('[').rstrip(']')
	details = row[3]

	return [message, timestamp, datetime, timestamp_desc, details]


	if __name__ == '__main__':
	if len(sys.argv) < 3:
	print(USAGE)
	exit(1)

	with open(sys.argv[1]) as f:
	vol_timeliner = json.load(f)

	with open(sys.argv[2], 'w') as o:
	ts_writer = csv.writer(o)

	ts_writer.writerow(['message',
	'timestamp',
	'datetime',
	'timestamp_desc',
	'details'])

	for row in vol_timeliner['rows']:
	ts_writer.writerow(converter(row))