Supercharging Bulk DFIR triage with Node-RED, Google’s Log2timeline & Google’s Timesketch

Node-RED DFIR Triage Processing Workflow

During the COVID19 lockdown period, I spent time creating a rule set to get the most of Google’s Timesketch tagging feature. The tagging rules were mapped to MITRE ATT&CK where applicable. Timesketch has the ability to automatically run analyzers (i.e. Tagger, Sigma Rules etc) after a plaso file gets indexed.

bluteam0ps Timesketch Tagging File

I wanted to further expand on this and ventured into creating an automation workflow for triage collection processing using Node-RED. This piece was inspired by work carried out by Eric Capuano and Mike Pilkington. The goal was to have a workflow that is robust, repeatable, easy to manage and extend.

Current Node-RED Workflow Setup

A directory watch node checks for newly uploaded zip files. In this case it is watching for zip files uploaded to the/cases/processor folder. The queue control node will evaluate the status of the processing limit. If the workflow has reached the maximum limit, it will place the zip files in a queue. This feature was included to prevent overload of system resources. The queue control node will release a zip file, every time a plaso gets successfully indexed in Timesketch. The flow creates a unique directory based on the filename and the processing time. Unzipped files will reside in this newly created directory.

Log2timeline process is executed soon after the unzip operation. The resulting plaso file is stored under the/cases/plaso folder. Soon after the plaso file is generated, the folder containing uncompressed data gets deleted (original zip file will remain in the folder). Afterwards, the resulting plaso file is ingested into Timesketch. My Timesketch configuration was setup to autorun relevant analyzers upon completion of each timeline indexing job.

PS-Please note that this flow was tested with triage zip files generated by CyLR and KAPE (non-VHD).

The Result

ACSC Cyber Challenge Data Processed via the workflow
ACSC Cyber Security Challenge Data Set Ingested & Tagged in Timesketch

P.S. You can create a sketch per investigation and ingest all timelines related to the same sketch. This way you have a single HUD with all the timelines and saved searches.

Ready to take it for a test drive?

My Github repo has all the information you need to get started. Scroll to “Automating DFIR Triage Processing Workflow” for information regarding the Node-RED workflow.

If you are only interested in the Node-RED workflow, then the JSON file can be downloaded from

Please do share your comments and suggestions. If you would like to contribute, please send a pull request on GitHub.

ACSC Cyber Security Challenge data set was used for testing the Node-RED workflow.

#DFIR #Triage #Node-RED #Timesketch #Log2timeline #Automation #Workflow #Process




Janantha Marasinghe’s Research

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Why I made a Gem for my Capstone

DialogFlow : A Complete Guide with Webhook

My 30-Day Leetcode challenge — Week 1

New in Devart ODBC Drivers: Support for OAuth 2.0 Authentication and SOQL Queries

How to organize your projects and increase your productivity on Scriptcase

How the Best Sales and CS Teams are Finding Expansion Opportunities with Slack

Ansible and Its Use Cases

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store


Janantha Marasinghe’s Research

More from Medium

Analog vs Digital: What’s the Difference? — AX Control, Inc.

4/8/16/32 Port VoIP GSM Gateway |

Administering GitHub Organisations for Security

Image taken from GitHub with comic characters

CIPM: Certified Information Privacy Manager