log2timeline v0.33b - artifact timeline creation and analysis

log2timeline is a framework for artifact timeline creation and analysis. The main purpose is to provide a single tool to parse various log files and artifacts found on suspect systems (and supporting systems, such as network equipment) and produce a body file that can be used to create a timeline, using tools such as mactime from TSK, for forensic investigators.

The tool is written in Perl for Linux but has been tested using Mac OS X (10.5.7+ and 10.6.+). Parts of it should work natively in Windows as well (with ActiveState Perl installed) while other parts need to be slightly to considerably modified to work properly (haven’t tested any functionality in Windows yet).

This tool is published under GPL v2

JPEG - 25.4 kb

Version 0.33 Beta

  • Fixed a bug in iehistory.pm, small bug when reading index.dat files that contain no history.
  • Fixed a bug in iehistory.pm, directory names not correctly read as well as header information (sometimes these values contained unreadable characters).
  • Fixed a bug in mactime.pm input module, small bug in the validation, all mactime files failed.
  • Fixed a bug in the tln.pm input module, files weren’t validated (all files failed validation).
  • Updated the List.pm library so that the input modules and output modules are sorted when the option of -f list or -o list is used.

Current Input Modules

log2timeline currently supports parsing the following formats:

  • Windows Prefetch directory
  • Squid Access Logs (httpd_emulate off)
  • Windows Restore Points
  • Windows Recycle Bin (INFO2)
  • Windows Shortcut files (LNK)
  • UserAssist key of the Windows registry
  • Firefox 3 history
  • Windows IIS W3C log files
  • OpenXML metadata, for metadata extraction from Office 2007 documents
  • ISA server text export. Copy query results to clipboard and into a text file
  • TLN (timeline) body files
  • Mactime body files (to provide an easy method to modify from mactime format to some other)
  • Internet Explorer history files, parsing index.dat files
  • PCAP files, parsing network dump files created by tool such as Wireshark and tcpdump (PCAP)
  • EXIF. Extracts exif information or metadata from various media files

Current Output Modules

log2timeline currently supports exporting timeline into the following formats

  • CFTL. An XML file that can be read by CyberForensics TimeLab (for timeline visualization).
  • Mactime. Both older and newer version of the format supported for use by TSK’s mactime.
  • SIMILE. An XML file that can be read by a SIMILE timeline widget for timeline visualization.
  • TLN. Timeline format that is used by some of H. Carvey tools.
  • SQLite. Dump the timeline into a SQLite database, that can be read by possible future visualization tools.
  • CSV. Dump the timeline in a comma separated value file (CSV) to easily import it into spreadsheet or use with scripts.

Visualization

log2timeline now supports exporting data in a XML document that can be read by timeline visualization tools such as CFTL (CyberForensics TimeLab) or SIMILE timeline widgets.

Thank you Kristinn Gudjonsson, creator of the project.

Post scriptum

Compliance Mandates

  • Forensics :

    PCI DSS 10.2, 12.9, A.1.4*, SOX DS7, HIPAA 164.308(a)(1) and (a)(6), FISMA IR-7, ISO 27001/27002 13.2.1, 13.2.3
    *Shared Hosting Providers Only


Comments

Related Articles

Forensics
log2timeline