Linux: Boottime timeliner: Rollback timeliner event type changes and use the created time for the boot time plugin

gcmoreira · gcmoreira · commit 4895af47bdec · 2024-10-29T13:46:19.000+11:00
diff --git a/volatility3/framework/plugins/linux/boottime.py b/volatility3/framework/plugins/linux/boottime.py
@@ -88,7 +88,7 @@ def generate_timeline(self):
         ):
             description = f"System boot time for time namespace {time_namespace_id}"
 
-            yield description, timeliner.TimeLinerType.BOOTTIME, boottime
+            yield description, timeliner.TimeLinerType.CREATED, boottime
 
     def run(self):
         columns = [
diff --git a/volatility3/framework/plugins/timeliner.py b/volatility3/framework/plugins/timeliner.py
@@ -23,7 +23,6 @@ class TimeLinerType(enum.IntEnum):
     MODIFIED = 2
     ACCESSED = 3
     CHANGED = 4
-    BOOTTIME = 5
 
 
 class TimeLinerInterface(metaclass=abc.ABCMeta):
@@ -172,22 +171,18 @@ def _generator(
                                     TimeLinerType.CHANGED,
                                     renderers.NotApplicableValue(),
                                 ),
-                                times.get(
-                                    TimeLinerType.BOOTTIME,
-                                    renderers.NotApplicableValue(),
-                                ),
                             ],
                         )
                     )
 
                     # Write each entry because the body file doesn't need to be sorted
                     if fp:
                         times = self.timeline[(plugin_name, item)]
-                        # Body format is: MD5|name|inode|mode_as_string|UID|GID|size|atime|mtime|ctime|crtime|boottime
+                        # Body format is: MD5|name|inode|mode_as_string|UID|GID|size|atime|mtime|ctime|crtime
 
                         if self._any_time_present(times):
                             fp.write(
-                                "|{} - {}|0|0|0|0|0|{}|{}|{}|{}|{}\n".format(
+                                "|{} - {}|0|0|0|0|0|{}|{}|{}|{}\n".format(
                                     plugin_name,
                                     self._sanitize_body_format(item),
                                     self._text_format(
@@ -202,9 +197,6 @@ def _generator(
                                     self._text_format(
                                         times.get(TimeLinerType.CREATED, "0")
                                     ),
-                                    self._text_format(
-                                        times.get(TimeLinerType.BOOTTIME, "0")
-                                    ),
                                 )
                             )
             except Exception as e:
@@ -328,7 +320,6 @@ def run(self):
                 ("Modified Date", datetime.datetime),
                 ("Accessed Date", datetime.datetime),
                 ("Changed Date", datetime.datetime),
-                ("Boot Date", datetime.datetime),
             ],
             generator=self._generator(plugins_to_run),
         )
