├── README.md
└── timeshift.py


/README.md:
--------------------------------------------------------------------------------
  1 | # timeshift
  2 | A python script to shift the timestamp on syslog and httpd log data. Useful for forensicators combating time skew, time zones, and other such foolery.
  3 | 
  4 | ## Usage
  5 | 
  6 | ```
  7 | $ timeshift.py --help
  8 | usage: timeshift.py [-h] [-m {syslog,httpdlog,rfc3339,cobaltstrike}]
  9 |                     [-o OFFSET] [-i {second,minute,hour,day}] [-y YEAR]
 10 |                     [-r INFILE] [-w OUTFILE]
 11 | 
 12 | Shift the date for all entries in an input data set by a specified interval of
 13 | time. Offset and interval options are required when using syslog mode.
 14 | 
 15 | optional arguments:
 16 |   -h, --help            show this help message and exit
 17 |   -m {syslog,httpdlog,rfc3339,cobaltstrike}, --mode {syslog,httpdlog,rfc3339,cobaltstrike}
 18 |                         Type of timestamp to seek and adjust (default =
 19 |                         syslog)
 20 |   -o OFFSET, --offset OFFSET
 21 |                         Amount of time to shift (pos/neg integer, only
 22 |                         required for "syslog" mode
 23 |   -i {second,minute,hour,day}, --interval {second,minute,hour,day}
 24 |                         Interval of time to shift (only required for "syslog"
 25 |                         and "cobaltstrike" modes
 26 |   -y YEAR, --year YEAR  Year to assume (default 2018)
 27 |   -r INFILE, --infile INFILE
 28 |                         Input file to process (default STDIN)
 29 |   -w OUTFILE, --outfile OUTFILE
 30 |                         Output file to create - will be overwritten if exists
 31 |                         (default STDOUT)
 32 | ```
 33 | 
 34 | ### Example Usage
 35 | Original contents of syslog file:
 36 | 
 37 | ```
 38 | $ cat maillog 
 39 | Jun  8 15:20:02 proxy sendmail[2295]: alias database /etc/aliases rebuilt by root
 40 | Jun  8 15:20:02 proxy sendmail[2295]: /etc/aliases: 76 aliases, longest 10 bytes, 765 bytes total
 41 | Jun  8 15:20:02 proxy sendmail[2300]: starting daemon (8.13.8): SMTP+queueing@01:00:00
 42 | Jun  8 15:20:02 proxy sm-msp-queue[2308]: starting daemon (8.13.8): queueing@01:00:00
 43 | ```
 44 | 
 45 | Assuming source file is reflected in EDT (UTC-0400), change to UTC (as it should be!):
 46 | ```
 47 | $ timeshift.py -m syslog -o 4 -i hour -r maillog
 48 | Jun  8 19:20:02 proxy sendmail[2295]: alias database /etc/aliases rebuilt by root
 49 | Jun  8 19:20:02 proxy sendmail[2295]: /etc/aliases: 76 aliases, longest 10 bytes, 765 bytes total
 50 | Jun  8 19:20:02 proxy sendmail[2300]: starting daemon (8.13.8): SMTP+queueing@01:00:00
 51 | Jun  8 19:20:02 proxy sm-msp-queue[2308]: starting daemon (8.13.8): queueing@01:00:00
 52 | ```
 53 | 
 54 | Correct sendmail entries in source file to account for the system's clock being 23 seconds fast
 55 | ```
 56 | $ grep sendmail maillog | ./timeshift.py -m syslog -o -23 -i second
 57 | Jun  8 15:19:39 proxy sendmail[2295]: alias database /etc/aliases rebuilt by root
 58 | Jun  8 15:19:39 proxy sendmail[2295]: /etc/aliases: 76 aliases, longest 10 bytes, 765 bytes total
 59 | Jun  8 15:19:39 proxy sendmail[2300]: starting daemon (8.13.8): SMTP+queueing@01:00:00
 60 | ```
 61 | 
 62 | Original contents of HTTPD access log file:
 63 | ```
 64 | $ cat lewestech.com-access
 65 | 82.220.38.35 - - [11/Oct/2015:10:42:02 +0400] "POST /wp-login.php HTTP/1.1" 200 4697 "http://lewestech.com/wp-login.php" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:23.0) Gecko/20100101 Firefox/23.0"
 66 | 208.115.113.85 - - [11/Oct/2015:11:27:15 +0400] "GET /clients/clients/waggies-by-maggie HTTP/1.1" 301 128 "-" "Mozilla/5.0 (compatible; DotBot/1.1; http://www.opensiteexplorer.org/dotbot, help@moz.com)"
 67 | 65.254.225.173 - - [11/Oct/2015:11:29:49 +0400] "POST /wp-login.php HTTP/1.1" 200 4697 "http://lewestech.com/wp-login.php" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:23.0) Gecko/20100101 Firefox/23.0"
 68 | 82.239.166.225 - - [11/Oct/2015:11:58:49 +0400] "GET /tag/for572/ HTTP/1.1" 200 24951 "https://www.google.fr" "Mozilla/5.0 (Windows NT 6.3; WOW64; rv:41.0) Gecko/20100101 Firefox/41.0"
 69 | 82.239.166.225 - - [11/Oct/2015:11:58:50 +0400] "GET /wp-content/themes/lewestech/style.css HTTP/1.1" 200 10512 "http://lewestech.com/tag/for572/" "Mozilla/5.0 (Windows NT 6.3; WOW64; rv:41.0) Gecko/20100101 Firefox/41.0"
 70 | 82.239.166.225 - - [11/Oct/2015:11:58:51 +0400] "GET /wp-content/themes/lewestech/scripts/utils.js HTTP/1.1" 200 123 "http://lewestech.com/tag/for572/" "Mozilla/5.0 (Windows NT 6.3; WOW64; rv:41.0) Gecko/20100101 Firefox/41.0"
 71 | ```
 72 | 
 73 | Convert HTTPD access log with UTC offset to UTC native
 74 | ```
 75 | $ cat lewestech.com-access | ./timeshift.py -m httpd
 76 | 82.220.38.35 - - [11/Oct/2015:06:42:02 +0000] "POST /wp-login.php HTTP/1.1" 200 4697 "http://lewestech.com/wp-login.php" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:23.0) Gecko/20100101 Firefox/23.0"
 77 | 208.115.113.85 - - [11/Oct/2015:07:27:15 +0000] "GET /clients/clients/waggies-by-maggie HTTP/1.1" 301 128 "-" "Mozilla/5.0 (compatible; DotBot/1.1; http://www.opensiteexplorer.org/dotbot, help@moz.com)"
 78 | 65.254.225.173 - - [11/Oct/2015:07:29:49 +0000] "POST /wp-login.php HTTP/1.1" 200 4697 "http://lewestech.com/wp-login.php" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:23.0) Gecko/20100101 Firefox/23.0"
 79 | 82.239.166.225 - - [11/Oct/2015:07:58:49 +0000] "GET /tag/for572/ HTTP/1.1" 200 24951 "https://www.google.fr" "Mozilla/5.0 (Windows NT 6.3; WOW64; rv:41.0) Gecko/20100101 Firefox/41.0"
 80 | 82.239.166.225 - - [11/Oct/2015:07:58:50 +0000] "GET /wp-content/themes/lewestech/style.css HTTP/1.1" 200 10512 "http://lewestech.com/tag/for572/" "Mozilla/5.0 (Windows NT 6.3; WOW64; rv:41.0) Gecko/20100101 Firefox/41.0"
 81 | 82.239.166.225 - - [11/Oct/2015:07:58:51 +0000] "GET /wp-content/themes/lewestech/scripts/utils.js HTTP/1.1" 200 123 "http://lewestech.com/tag/for572/" "Mozilla/5.0 (Windows NT 6.3; WOW64; rv:41.0) Gecko/20100101 Firefox/41.0"
 82 | ```
 83 | 
 84 | Original contents of RFC3339 timestamp file:
 85 | ```
 86 | $ cat messages
 87 | <5>2016-05-05T23:12:09.649085-05:00 quaff kernel:[27198521.247185] Firewall-DENY_INPUT: IN=venet0 OUT= MAC= SRC=188.143.a.b DST=205.186.x.y LEN=40 TOS=0x00 PREC=0x00 TTL=54 ID=21110 DF PROTO=TCP SPT=43052 DPT=80 WINDOW=0 RES=0x00 RST URGP=0
 88 | <5>2016-05-05T23:12:09.649157-05:00 quaff kernel:[27198521.247213] Firewall-DENY_INPUT: IN=venet0 OUT= MAC= SRC=188.143.a.b DST=205.186.x.y LEN=40 TOS=0x00 PREC=0x00 TTL=54 ID=21111 DF PROTO=TCP SPT=43052 DPT=80 WINDOW=0 RES=0x00 RST URGP=0
 89 | <5>2016-05-05T23:12:09.649161-05:00 quaff kernel:[27198521.247228] Firewall-DENY_INPUT: IN=venet0 OUT= MAC= SRC=188.143.a.b DST=205.186.x.y LEN=40 TOS=0x00 PREC=0x00 TTL=54 ID=21112 DF PROTO=TCP SPT=43052 DPT=80 WINDOW=0 RES=0x00 RST URGP=0
 90 | <5>2016-05-05T23:12:09.649163-05:00 quaff kernel:[27198521.247252] Firewall-DENY_INPUT: IN=venet0 OUT= MAC= SRC=188.143.a.b DST=205.186.x.y LEN=40 TOS=0x00 PREC=0x00 TTL=54 ID=21113 DF PROTO=TCP SPT=43052 DPT=80 WINDOW=0 RES=0x00 RST URGP=0
 91 | <5>2016-05-05T23:12:09.649165-05:00 quaff kernel:[27198521.247273] Firewall-DENY_INPUT: IN=venet0 OUT= MAC= SRC=188.143.a.b DST=205.186.x.y LEN=40 TOS=0x00 PREC=0x00 TTL=54 ID=21114 DF PROTO=TCP SPT=43052 DPT=80 WINDOW=0 RES=0x00 RST URGP=0
 92 | ```
 93 | 
 94 | Convert RFC3339 timestamps with UTC offset to UTC native
 95 | ```
 96 | $ ./timeshift.py -m rfc3339 -r messages
 97 | <5>2016-05-06T04:12:09.649085+00:00 quaff kernel:[27198521.247185] Firewall-DENY_INPUT: IN=venet0 OUT= MAC= SRC=188.143.a.b DST=205.186.x.y LEN=40 TOS=0x00 PREC=0x00 TTL=54 ID=21110 DF PROTO=TCP SPT=43052 DPT=80 WINDOW=0 RES=0x00 RST URGP=0
 98 | <5>2016-05-06T04:12:09.649157+00:00 quaff kernel:[27198521.247213] Firewall-DENY_INPUT: IN=venet0 OUT= MAC= SRC=188.143.a.b DST=205.186.x.y LEN=40 TOS=0x00 PREC=0x00 TTL=54 ID=21111 DF PROTO=TCP SPT=43052 DPT=80 WINDOW=0 RES=0x00 RST URGP=0
 99 | <5>2016-05-06T04:12:09.649161+00:00 quaff kernel:[27198521.247228] Firewall-DENY_INPUT: IN=venet0 OUT= MAC= SRC=188.143.a.b DST=205.186.x.y LEN=40 TOS=0x00 PREC=0x00 TTL=54 ID=21112 DF PROTO=TCP SPT=43052 DPT=80 WINDOW=0 RES=0x00 RST URGP=0
100 | <5>2016-05-06T04:12:09.649163+00:00 quaff kernel:[27198521.247252] Firewall-DENY_INPUT: IN=venet0 OUT= MAC= SRC=188.143.a.b DST=205.186.x.y LEN=40 TOS=0x00 PREC=0x00 TTL=54 ID=21113 DF PROTO=TCP SPT=43052 DPT=80 WINDOW=0 RES=0x00 RST URGP=0
101 | <5>2016-05-06T04:12:09.649165+00:00 quaff kernel:[27198521.247273] Firewall-DENY_INPUT: IN=venet0 OUT= MAC= SRC=188.143.a.b DST=205.186.x.y LEN=40 TOS=0x00 PREC=0x00 TTL=54 ID=21114 DF PROTO=TCP SPT=43052 DPT=80 WINDOW=0 RES=0x00 RST URGP=0
102 | ```
103 | 
104 | Original contenst of Cobalt Strike log file:
105 | ```
106 | $ cat cobaltstrike.txt
107 | 08/23 21:38:35 [input] <user> download file.zip
108 | 08/23 21:38:35 [task] Tasked beacon to download file.zip
109 | 08/23 21:38:42 [checkin] host called home, sent: 37 bytes
110 | 08/23 21:38:42 [output]
111 | started download of C:\Users\victim\Documents\file.zip (14892 bytes)
112 | 
113 | 08/23 21:38:42 [output]
114 | download of file.zip is complete
115 | 
116 | 08/23 21:39:40 [input] <user> ls 20180823
117 | 08/23 21:39:40 [task] Tasked beacon to list files in 20180823
118 | 08/23 21:39:43 [checkin] host called home, sent: 26 bytes
119 | ```
120 | 
121 | Assuming source file is reflected in EDT (UTC-0400), change to UTC (as it should be!):
122 | ```
123 | $ timeshift.py -m cobaltstrike -o 4 -i hour -r cobaltstrike.txt
124 | 2018-08-24T01:38:35 [input] <user> download file.zip
125 | 2018-08-24T01:38:35 [task] Tasked beacon to download file.zip
126 | 2018-08-24T01:38:42 [checkin] host called home, sent: 37 bytes
127 | 2018-08-24T01:38:42 [output]
128 | started download of C:\Users\victim\Documents\file.zip (14892 bytes)
129 | 
130 | 2018-08-24T01:38:42 [output]
131 | download of file.zip is complete
132 | 
133 | 2018-08-24T01:39:40 [input] <user> ls 20180823
134 | 2018-08-24T01:39:40 [task] Tasked beacon to list files in 20180823
135 | 2018-08-24T01:39:43 [checkin] host called home, sent: 26 bytes
136 | ```


--------------------------------------------------------------------------------
/timeshift.py:
--------------------------------------------------------------------------------
  1 | #!/usr/bin/python
  2 | # (C)2018 Lewes Technology Consulting, LLC
  3 | import sys
  4 | from datetime import datetime, timedelta, date
  5 | import argparse
  6 | import re
  7 | 
  8 | intervals = ('second', 'minute', 'hour', 'day')
  9 | conversion_modes = ('syslog', 'httpdlog', 'rfc3339', 'cobaltstrike')
 10 | curryear = date.today().year
 11 | 
 12 | syslog_re = re.compile('(?P<datestring>(?P<date>[A-Za-z]{3} [0-9 ]{2}) (?P<time>[0-9]{2}:[0-9]{2}:[0-9]{2}))')
 13 | httpd_re = re.compile('(?P<datestring>(?P<date>[0-9]{2}/[A-Za-z]{3}/[0-9]{4}):(?P<time>[0-9]{2}:[0-9]{2}:[0-9]{2}) (?P<offset_dir>[+-])(?P<offset>[0-9]{4}))')
 14 | rfc3339_re = re.compile('(?P<datestring>(?P<date>[0-9]{4}-[0-9]{2}-[0-9]{2})T(?P<time>[0-9]{2}:[0-9]{2}:[0-9]{2})(?P<subsecond>\.[0-9]{6})(?P<offset_dir>[+-])(?P<offset>[0-9]{2}:[0-9]{2}))')
 15 | cobaltstrike_re = re.compile('(?P<datestring>(?P<date>[0-9]{2}/[0-9 ]{2}) (?P<time>[0-9]{2}:[0-9]{2}:[0-9]{2}))')
 16 | 
 17 | parser = argparse.ArgumentParser(description='Shift the date for all entries in an input data set by a specified interval of time. Offset and interval options are required when using syslog mode.')
 18 | parser.add_argument('-m', '--mode', help='Type of timestamp to seek and adjust (default = syslog)', choices = conversion_modes, default='syslog')
 19 | parser.add_argument('-o', '--offset', help='Amount of time to shift (pos/neg integer, only required for "syslog" mode)', type=int)
 20 | parser.add_argument('-i', '--interval', help='Interval of time to shift (only required for "syslog" and "cobaltstrike" modes)', choices = intervals)
 21 | parser.add_argument('-y', '--year', help='Year to assume (default %d)' % curryear, default=curryear, type=int)
 22 | parser.add_argument('-r', '--infile', help='Input file to process (default STDIN)')
 23 | parser.add_argument('-w', '--outfile', help='Output file to create - will be overwritten if exists (default STDOUT)')
 24 | args = parser.parse_args()
 25 | 
 26 | if (args.mode == 'syslog' or args.mode == 'cobaltstrike') and (args.offset == None or args.interval == None):
 27 |     sys.stderr.write('ERROR: Offset and interval options are both required when not using --mode syslog or --mode cobaltstrike\n')
 28 |     sys.exit(2)
 29 | 
 30 | # open the input file or use STDIN if not specified
 31 | if args.infile:
 32 |     try:
 33 |         infile = open(args.infile, 'r')
 34 |     except IOError:
 35 |         sys.stderr.write('Could not open input file')
 36 |         exit(2)
 37 | else:
 38 |     infile = sys.stdin
 39 | 
 40 | # open the output file or use STDOUT if not specified
 41 | if args.outfile:
 42 |     try:
 43 |         outfile = open(args.outfile, 'w')
 44 |     except IOError:
 45 |         sys.stderr.write('Could not open output file')
 46 |         exit(2)
 47 | else:
 48 |     outfile = sys.stdout
 49 | 
 50 | # iterate through each line of the input data
 51 | for line in infile:
 52 |     if args.mode == 'httpdlog':
 53 |         parts = httpd_re.search(line)
 54 | 
 55 |         if parts != None:
 56 |             origtimestring = '%s %s' % (parts.group('date'), parts.group('time'))
 57 |             origtime = datetime.strptime(origtimestring, '%d/%b/%Y %X')
 58 | 
 59 |             offset_dir = parts.group('offset_dir')
 60 |             offset = parts.group('offset')
 61 |             offset_hr = int(offset[0:2])
 62 |             offset_min = int(offset[2:4])
 63 |             offset = timedelta(hours=offset_hr, minutes = offset_min)
 64 | 
 65 |             # we are correcting the time zone to UTC, so the math is opposite the TZ direction
 66 |             if offset_dir == '+':
 67 |                 newtime = origtime - offset
 68 |             else:
 69 |                 newtime = origtime + offset
 70 | 
 71 |             newtimestring = newtime.strftime('%d/%b/%Y:%X')
 72 |             newline = httpd_re.sub(newtimestring+' +0000', line)
 73 | 
 74 |         else:
 75 |             newline = line
 76 | 
 77 |     elif args.mode == 'rfc3339':
 78 |         parts = rfc3339_re.search(line)
 79 | 
 80 |         if parts != None:
 81 |             origtimestring = '%sT%s' % (parts.group('date'), parts.group('time'))
 82 |             origtime = datetime.strptime(origtimestring, '%Y-%m-%dT%X')
 83 | 
 84 |             offset_dir = parts.group('offset_dir')
 85 |             (offset_hr, offset_min) = [ int(x) for x in parts.group('offset').split(':') ]
 86 |             offset = timedelta(hours=offset_hr, minutes = offset_min)
 87 | 
 88 |             # we are correcting the time zone to UTC, so the math is opposite the TZ direction
 89 |             if offset_dir == '+':
 90 |                 newtime = origtime - offset
 91 |             else:
 92 |                 newtime = origtime + offset
 93 | 
 94 |             newtimestring = newtime.strftime('%Y-%m-%dT%X')
 95 |             newline = rfc3339_re.sub(newtimestring+parts.group('subsecond')+'+00:00', line)
 96 | 
 97 |         else:
 98 |             newline = line
 99 | 
100 |     elif args.mode == 'cobaltstrike':
101 |         # establish a timedelta object that defines the requested offset and interval
102 |         if args.interval == 'second':
103 |             offset = timedelta(seconds = args.offset)
104 |         elif args.interval == 'minute':
105 |             offset = timedelta(minutes = args.offset)
106 |         elif args.interval == 'hour':
107 |             offset = timedelta(hours = args.offset)
108 |         elif args.interval == 'day':
109 |             offset = timedelta(hours = args.offset * 24)
110 | 
111 |         # cobalt strike timestamps don't include a year.  add it.
112 |         parts = cobaltstrike_re.search(line)
113 | 
114 |         if parts != None:
115 |             origtimestring = '%s/%s %s' % (parts.group('date'), args.year, parts.group('time'))
116 |             origtime = datetime.strptime(origtimestring, '%m/%d/%Y %X')
117 | 
118 |             # calculate the new time in a time object
119 |             newtime = origtime + offset
120 | 
121 |             # reconstruct the new line
122 |             newtimestring = newtime.strftime('%Y-%m-%dT%X')
123 |             newline = cobaltstrike_re.sub(newtimestring, line)
124 | 
125 |         else:
126 |             newline = line
127 | 
128 |     #assuming syslog format below!
129 |     else:
130 |         # establish a timedelta object that defines the requested offset and interval
131 |         if args.interval == 'second':
132 |             offset = timedelta(seconds = args.offset)
133 |         elif args.interval == 'minute':
134 |             offset = timedelta(minutes = args.offset)
135 |         elif args.interval == 'hour':
136 |             offset = timedelta(hours = args.offset)
137 |         elif args.interval == 'day':
138 |             offset = timedelta(hours = args.offset * 24)
139 | 
140 |         # syslog timestamp is the first 15 characters by default (e.g. "Nov 20 15:20:02")
141 |         # then add a year, which may matter in a leap year
142 |         parts = syslog_re.search(line)
143 | 
144 |         if parts != None:
145 |             origtimestring = '%s %s' % (parts.group('datestring'), args.year)
146 |             origtime = datetime.strptime(origtimestring, '%b %d %X %Y')
147 | 
148 |             # calculate the new time in a time object
149 |             newtime = origtime + offset
150 | 
151 |             # reconstruct the new line
152 |             # the %-2d format string is a two-character wide format that omits any leading zeroes (uses space instead) - nice!
153 |             newtimestring = newtime.strftime('%b %-2d %X')
154 |             newline = syslog_re.sub(newtimestring, line)
155 | 
156 |             #'%s%s' % (newtime.strftime('%b %-2d %X'), remainder)
157 | 
158 |         else:
159 |             newline = line
160 | 
161 |     # write the new line, including a formatted timestamp for the corrected time
162 |     outfile.write(newline)


--------------------------------------------------------------------------------