This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/usr/bin/env python3 | |
# | |
# Converter based on volatility timeliner json output | |
# you need to install python-dateutil to use it: | |
# pip3 install python-dateutil --user | |
# | |
# Volatility json output has following columns: | |
# [u'Start', u'Header', u'Item', u'Details'] | |
# | |
# The data row: | |
# [u'2015-11-24 21:12:38 UTC+0000', u'[PROCESS]', u' smss.exe', | |
# u' PID: 328/PPID: 4/POffset: 0x1005fa900'] | |
# | |
# Mandatory timesketch fields: | |
# message,timestamp,datetime,timestamp_desc | |
# | |
# How I map those fields: | |
# Item -> message, Start -> timestamp, Start -> datetime, | |
# Header -> timestamp_desc, Details -> details | |
# | |
import json | |
import sys | |
import csv | |
import time | |
import dateutil.parser as parser | |
USAGE = """ | |
./volatility_to_timesketch.py INPUTFILE OUTPUTFILE | |
INPUTFILE is volatility's timeliner output file (JSON type) | |
OUTPUTFILE is the result CSV file ready to import to Timesketch | |
""" | |
def converter(row): | |
timestamp = 0 | |
datetime = '1970-01-01T00:00:00Z' | |
if row[0] != '-': | |
date = parser.parse(row[0]) | |
timestamp = time.mktime(date.timetuple())*1000000 | |
datetime = date.isoformat() | |
message = row[2] | |
timestamp_desc = row[1].lstrip('[').rstrip(']') | |
details = row[3] | |
return [message, timestamp, datetime, timestamp_desc, details] | |
if __name__ == '__main__': | |
if len(sys.argv) < 3: | |
print(USAGE) | |
exit(1) | |
with open(sys.argv[1]) as f: | |
vol_timeliner = json.load(f) | |
with open(sys.argv[2], 'w') as o: | |
ts_writer = csv.writer(o) | |
ts_writer.writerow(['message', | |
'timestamp', | |
'datetime', | |
'timestamp_desc', | |
'details']) | |
for row in vol_timeliner['rows']: | |
ts_writer.writerow(converter(row)) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment