Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

DFIQ Analyzer Implementation #3178

Merged
merged 20 commits into from
Oct 7, 2024
Merged

DFIQ Analyzer Implementation #3178

merged 20 commits into from
Oct 7, 2024

Conversation

jkppr
Copy link
Collaborator

@jkppr jkppr commented Sep 6, 2024
edited
Loading

This PR introduces a new DFIQ (Digital Forensics Investigative Questions) Analyzer framework to Timesketch, enabling the execution of analyzers based on investigative approaches defined in DFIQ objects.

What existing problem does this PR solve?

This PR addresses the need to integrate automated analysis workflows based on structured investigative methodologies like DFIQ. It provides a way to automatically trigger relevant analyzers when a user adds DFIQ approaches to a sketch.

What new feature is being introduced with this PR?

  • DFIQ Analyzer Framework: A new sub-framework for managing and executing DFIQ-aware analyzers.
  • Dynamic Analyzer Import: DFIQ analyzers are dynamically imported, providing flexibility and scalability.
  • Integration with Analyzer Framework: Seamlessly integrates with the existing Timesketch analyzer framework, including status tracking and reporting.
  • API Endpoint Triggering: Triggers analysis execution when a DFIQ approach is added to a sketch.
  • Analysis-Approach Linking: Establishes a database relationship between Analysis and InvestigativeQuestionApproach models, enabling tracking of analyses related to specific approaches.

Overview of changes to existing functions if required:

  • The Analysis model has been extended to include an optional relationship with InvestigativeQuestionApproach.
  • The tasks.py file now supports DFIQ analyzer execution.
  • A new DFIQAnalyzerManager class has been added to handle the execution of DFIQ analyzers.

TODOs:

  • Extend the analyzer framework for DFIQ
  • Trigger analyzer via DFIQ approaches
  • Trigger analyzer when new timelines are added
  • Link and fill InvestigativeQuestionConclusion by analyzer verdict.
  • Add unit tests
  • Add one basic analyzer to ship with the PR
  • Documentation updated.

This implementation provides a foundation for more advanced DFIQ-driven analysis workflows in Timesketch, allowing users to leverage structured methodologies for more efficient and guided investigations.

(The frontend part of this feature will be handled in a separate PR)

@jkppr
DFIQ Analyzer implementation
fb3c067 
* Dynamic import of analyzers
* Integration into the analyzer framework
* Trigger via DFIQ Approaches being added to a sketch
@jkppr
DFIQ Analyzer implementation
581e058 
* Linked Analysis with Approach objects
* Trigger chck for analysis from the API Endpoint
* Remove Signals (no need anymore)
* Add open TODOs
@jkppr jkppr requested a review from berggren September 6, 2024 15:55
@jkppr jkppr self-assigned this Sep 6, 2024
jkppr and others added 8 commits September 6, 2024 17:56
@jkppr jkppr marked this pull request as ready for review September 10, 2024 14:55
berggren
berggren requested changes Sep 11, 2024
View reviewed changes
Copy link
Contributor

@berggren berggren left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

First round. Looks good, some minor comments

timesketch/lib/analyzers/dfiq_plugins/__init__.py Outdated Show resolved Hide resolved
timesketch/api/v1/resources/analysis.py Outdated Show resolved Hide resolved
timesketch/api/v1/resources/analysis.py Show resolved Hide resolved
timesketch/lib/analyzers/dfiq_plugins/manager.py Outdated Show resolved Hide resolved
timesketch/models/sketch.py Show resolved Hide resolved
timesketch/models/sketch.py Show resolved Hide resolved
@jkppr jkppr requested a review from berggren September 11, 2024 20:26
berggren
berggren approved these changes Sep 12, 2024
View reviewed changes
Copy link
Contributor

@berggren berggren left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

timesketch/api/v1/resources/analysis.py Show resolved Hide resolved
timesketch/models/sketch.py Show resolved Hide resolved
@jkppr jkppr mentioned this pull request Oct 7, 2024
Open
5 tasks
@jkppr
Copy link
Collaborator Author

jkppr commented Oct 7, 2024

Going to merge the current state and track next steps in #3198

@jkppr jkppr merged commit 0d7a978 into google:master Oct 7, 2024
24 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@berggren berggren berggren approved these changes

Assignees

@jkppr jkppr

Labels
Analyzers Backend
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@jkppr @berggren @jaegeral