IR and forensic talk

I finally managed to push a new version of log2timeline out, version 0.30b, which contains several changes (see changelog). Among the changes was to include the possibility to use timeline visualization tools.

I wasn’t able to find that many timeline visualization tools that I could use. I will mention few of the projects that I’ve seen that can visually represent timeline.

• Zeitline, a tool written in Java in 2005, and hasn’t been updated since then.
• SIMILE timeline project, which is a widget that can be put on a web site that reads a XML document and produces a very nice visual timeline.
• CFTL or the CyberForensics TimeLab, which was written by Jens Olsson and Martin Boldt (a paper describing it can be found here).

There are pros and cons about every one of those tools, some of problems that I can think of are:

• Zeitline is not very flexible and difficult to get working.
• SIMILE requires the user to create a HTML file that describes the timeline, and use a web server (possible to have it localized) to visually inspect the timeline
• CFTL is still a beta tool that hasn’t been released (and will probably not be free anyway).

The most promising visualization tool that I saw was definitely the CFTL, although I haven’t been able to test it myself, since there is no publicly available version out there.

I decided to create some output modules for log2timeline so that timelines created by the tool could be visually analyzed using one of these tools.  Since both the SIMILE and CFTL projects use XML documents to describe the timeline it was quite easy to create an output module that has the possibility to output a file that can be read by the tools.  As soon as I’ve tested and evaluated both of these tools I will post reviews and show how they can be used to augment timeline analysis (using log2timeline to create the timeline and these tools to visually represent it).