Timesketch

Timesketch is Google's open-source collaborative forensic timeline analysis platform designed for security incident investigations. It ingests events from multiple forensic sources — Plaso supertimelines, CSV files, JSONL logs, and direct uploads — and presents them in a searchable, annotatable web interface where multiple analysts can work simultaneously. Investigators can create named views with saved queries, tag events with labels and comments, build investigation timelines, and share findings with teammates. Timesketch includes built-in analyzers that automatically detect suspicious patterns like lateral movement, credential access, and data staging. The Sigma integration allows analysts to run detection rules directly against timeline data. The sketch-based workflow means each investigation is self-contained with its own data, annotations, and analysis — making it easy to hand off cases between analysts or revisit investigations months later.