DFIR Tooling - python-tim

Last update: DFIR Tooling - Command Handling

I'd been trying to maintain a slow but steady pace while implementing Tim, but I'll be honest. I got bored. Slow and steady wins the race and all that jazz, but there's such a thing as too slow of a pace. On Friday I considered that Tim isn't supposed to be the challenging part of this project. Rather, the VR stuff is where I want to spend all of my time and effort. To that end I decided to spend this weekend rewriting Tim in Python so that I can shift gears and start focusing on the VR UI. Lo and behold: python-tim is operational after a few hours of effort. The new repository is available at github.com/gnzlabs/python-tim.

Let's take a look at the CLI output from interacting with Tim's filesystem plugin.

Tim's output is on the left, while the output from Tim Control is available on the right. I won't dive into the design of the plugin system in this blog post. Instead I'll just note that it's all built around introspective sorcery and, as such, is incredibly flexible. For example: pattern matching worked on the first go.

It's also effortlessly cross-platform, and I think that's pretty neat.

As previously discussed, everything in Tim is made available as a plugin. Connections are (mostly) stateless right now, which works well enough for where this project is currently. I'll need to add some state tracking to support further development, but that's a future Jeff problem. Also a future Jeff problem: I've gone ahead and stripped out all the security stuff for now. Unauthenticated plaintext connections are the king of Timmy's world, and that's good enough for me at the moment. That'll be fixed later on once I start in on the VR components.

Right now all I need to do is extend the filesystem plugin with definitions for file info and directory info data contracts and we're good to go. I'll use the JSON output by the CLI to start on VR development this week. Super excited about it!

Next Update: DFIR Tooling - Packet Capturing