Home > Forensics, Timeline analysis > log2timeline updated

log2timeline updated

March 6th, 2010 Leave a comment Go to comments

I’ve just released a new version of log2timeline, version 0.42.  The new version includes two new input modules, one for extracting timestamps from PDF metadata and another one from McAfee anti-virus log files.  The new version also includes several bug fixes, the full changelog can be read here. The development focus will be to move the tool to version 0.50, which will introduce a new design of how timestamps and related information is handled within the framework, including a shift to TLN as the standard output format, more details can be found inside the roadmap.

log2timeline will also be included in the upcoming 2.0 release of the SIFT (SANS Investigative Forensic Toolkit) workstation, which will be available soon (and yes it is based on Ubuntu now). That way people can enjoy the tool without needing to go through the installation process with all the needed dependencies.

The agenda for the upcoming SANS EU forensics summit is up. I encourage everyone that has the change to attend this summit, there are some greate talks and of course a great change to meet some of the top experts in computer forensics in Europe.  And of course a change to meet with me and get me to implement some feature to log2timeline that you always wished was there, but for some odd reason you didn’t send me an e-mail to request it.

Categories: Forensics, Timeline analysis Tags: , , , , ,
  1. John Jarvis
    March 6th, 2010 at 16:46 | #1
    Reply | Quote

    Great news about its inclusion in the next version of SIFT. Thanks for this, Kristinn; great tool!

  2. Paul Bobby
    March 11th, 2010 at 20:06 | #2
    Reply | Quote

    Here’s the first line of my AP log file.

    10/4/2009 7:36:10 PM Would be blocked by port blocking rule (rule is currently not enforced) C:Documents and SettingspbobbyLocal SettingsApplication DataGoogleChromeApplicationchrome.exe Common Maximum Protection:Prevent HTTP communication 8.5.0.232:80

  3. Paul Bobby
    March 11th, 2010 at 20:07 | #3
    Reply | Quote

    When running log2timeline with the mcafee option I get the following:

    pbobby@ubuntu:~/Documents/log2timeline$ log2timeline -z US/Eastern -f mcafee ./fred/AccessProtectionLog.txt
    Start processing file/dir [./fred/AccessProtectionLog.txt] …
    Loading output file: mactime
    Starting to parse file using format: [mcafee]
    This is a plugin of unkown origin. It parses a log file and contains no requirements or
    any other relevant options or possibilites, use with care…
    ————————

    File ./fred/AccessProtectionLog.txt is not of the right format.
    Error given from format file: The date field is not correctly formed(10/4/2009)

    ————————

    Usage:
    log2timeline [OPTIONS] -f FORMAT LOG_FILE/LOG_DIR [--] [FORMAT FILE
    OPTIONS]

    pbobby@ubuntu:~/Documents/log2timeline$

  4. Paul Bobby
    March 12th, 2010 at 15:52 | #4
    Reply | Quote

    I changed line 697 to

    if( $words[0] =~ m/d{1,2}/d{1,2}/d{4}/ )

    the month field can be 1 or 2 characters also

  5. kiddi
    March 12th, 2010 at 18:40 | #5
    Reply | Quote

    Hi,
    thank you for this comment, I’ve added it in my code already. The log files that I had in my hands had the 03 notion for month that was earlier than October, so obviously they can “swing” both ways

  1. No trackbacks yet.
-->