log2timeline v0.40 released

log2timeline is a framework for artifact timeline creation and analysis. The main purpose is to provide a single tool to parse various log files and artifacts found on suspect systems (and supporting systems, such as network equipment) and produce a body file that can be used to create a timeline, using tools such as mactime from TSK, for forensic investigators.

JPEG - 19 kb

Version 0.40

  • [CFTL output] Fixed few bugs in the cftl.pm output module, didn’t work in the current CFTL version without these modifications (has been verified to work with CFTL pre-relase version 1.0)
  • [EXIF input] Fixed a bug in the exif input module, there was a problem with the format of date variables read by ExifTool library. Added a format string to force the date format to be the same.
  • [glog2timeline] Modified the GUI, glog2timeline to make it feature compatible with the CLI interface, added:
    • Simple menu structure
    • Added the possibility to add timeskew information
    • Added the possibility to prepend text to output (a la -m)
    • Added the possibility to perform most of the operations through the menu structure
    • Added the possibility to check for latest version (version check)
    • Added a simple progress bar and information about the artifact being processed [more work needs to be done here]
    • Added the possibility to define the timezone of the suspect drive (list all available timezones sorted, using UTC as the default zone)
  • [List library] Modified the name of the Log2t::List library to Log2t::Common so that the library can be used for all common functions that are shared between more than one module (instead of only focusing on listing directory entries)
  • [BinRead library] Fixed few bugs in the BinRead library that dealt with Unicode reading
  • [WIN_LINK input] Modified the text output of win_link input module, to make the output more readable
  • [RECYCLER input] Modified the recycler.pm so that it reads the recycle bin directory instead of the INFO2 file. Added the possibility to read $I files as well (the newer format as used in Vista, Windows 7 and later operating systems from Microsoft). The new input module reads the directory and determines if it is examining the older or newer version of the recycle bin and parses accordingly
  • [timescanner] added a banner to timescanner, giving people warning about the tool, since there have been reports of it being unreliable in parsing all files that it should be able to do. This banner will stay until the tool has been fixed (coming version)
  • [timescanner] added the possibility to add timezone information, as well as to add a timezone related functions to be used by libraries
  • [timescanner] Fixed a bug, forgot to close the input module after parsing an artifact (creating some problems)
  • [USERASSIST input] fixed a bug in the userassist module. It crashed if it encountered a registry file it was unable to load (eg NTUSER.DAT.LOG), added a check for that, so timescanner will not die when he reaches such a file
  • [FIREFOX3 input] added an extra check in the verify routine to double check that we are in fact examining a FF3+ history database, now connecting to the database to see if there is a moz_places table there before proceeding. Added few error message checks as well, to improve the error handling of the verification. Fixed a bug where Firefox 3 history files were not included in the timescanner tool (had to do with the verification and improper check if the database was locked)
  • [log2timeline] Added the possibility to define the timezone of the suspect drive (-z ZONE parameter). The default timezone is local (that is the local timezone of the analysis station). This affects the timesettings of all artifacts found on the system and adjusts it accordingly). The option of "-z list" will print out a list of all available timezones that can be chosen.
  • [OXML input] Modified the verify function, only read the ZIP header if the magic value of the file indicates that this is a ZIP file (reduces time needed for the verification function, and therefore reduces the time needed for timescanner)
  • [Common library] Added constants to the Common library (BIG_E and LITTLE_E) that are shared with other libraries and modules
  • [input modules] changed all input modules that call the BinRead library so that they initialize the endian. This fixes a bug in timescanner, since some input module set the BinRead to big endian, which is not changed back when another input module that reads in a little endian was started (making verification and all uses of binary reading wrong, leading to the fact that timescanner did not parse the files)
  • [Time library] Added a function called fix_epoch to take an epoch value, and use the supplied timezone settings to modify it to UTC
  • [input modules] Modified the input modules so that they all now output the timezone information in UTC
  • [Setupapi input] Modified the SetupAPI input module, considerable changes made in the way that the file is parsed
  • [log2timeline] All input modules now output their time in UTC, irrelevant of the method of storing time entries. This makes it vital to add a parameter to define the timezone of the suspect drive
  • [evt] Added a new input module that is capable of parsing Windows 2000/XP/2003 Event Log files (mostly rewrite of evtparse.pl by Harlan Carvey)

More info: here

Post scriptum

Compliance Mandates

  • Forensics :

    PCI DSS 10.2, 12.9, A.1.4*, SOX DS7, HIPAA 164.308(a)(1) and (a)(6), FISMA IR-7, ISO 27001/27002 13.2.1, 13.2.3
    *Shared Hosting Providers Only


Comments

Related Articles

Forensics
log2timeline