UI: Hierarchical View

[binglot]

Details

It would be great to have alternative ways of displaying data in the Timesketch. One of them could be a hierarchical view of files on disk, with the following requirements:

1. Have 2 parts to this view: the "tree" view and the "contents" view. Both views only present file system metadata.

2. Use lazy-loading to populate the "tree" view, only displaying contents of a folder when it is expanded.

3. In the "contents" view, provide a graphical clue (i.e. use a "folder" icon) next to the folders so it's very intuitive, which files are folders and which are files.

4. Allow sorting by the columns, with the default view being -- "sort alphabetically but have the folders on the top".

Mock-up Solution

Reasoning

Presenting collected evidence in different forms:

• Help gain new insights
  • "20 days gap"
  • "a pattern" of incremental files created every ~30min at %appdata%\bus\
• Lead to focus on a subset of data
  • Please review "User Downloads" &
  • "Browser history" and provide "context"
  • Tag suspicious executions and pivot in master timeline
• Not always appropriate

Advantages of this view:

• Browse-like experience
• Quick view of common locations
  • Desktop
  • Downloads
  • Documents
• Visually spot anomalies
  • "Special" characters
    • /tmp/ /.abc/fake_ssh
  • Dot files