Hello together,
I am currently trying to modify some plugins to post to the timeline.
One example is the windows internals plugin by Marc McKinnon
(https://github.com/markmckinnon/Autopsy-Plugins/tree/master/Windows_Internals).
For example you could add an event to the timeline for every execution
of a .exe found in a prefetch file. The way I managed to add an event to
the timeline is by creating a second artifact of type TSK_TL_EVENT and
posting it separately, since it seems that only certain artifact types
get automatically converted into an event (due to their capability of
generating the description and determining the TimeLineEventType). How
could you create an event for a custom artifact type so that you can
right click the event in the normal browser, hit "Show Results in
Timeline..." and see them from there. Best would be without modification
of TSK or Autopsy themselves, just by using the plugin.
Best Regards,
Dennis
|
