Timeline analysis, links and discussion
Timeline analysis has been getting a lot of press lately. Harlan discussed some of the sources and usability of timeline analysis in a recent blog post. And then you’ve got few posts that describe how to create timelines, both from a live Windows machine, and from registry files. Rob Lee also posted a blog about creating timelines from shadow volume copies.
Then log2timeline has been getting some discussion as well. Paul Bobby actually pointed some bugs to me as well as posting two posts on his blog, one being a discussion of the issues of mounting the image file using Encase and accessing log2timeline from a virtual machine. The other one about an Encase script to extract all the files that log2timeline is capable of parsing to a directory (at least most of them), to make it easy for log2timeline to parse it without the need to mount the image file.
Rob Lee also posted a blog post about super timeline creation, using among other tools, log2timeline. I will post similar posts as Rob soon, just have to complete the new version of the tool first. The plan is to complete it, which I hope will add some good improvements, before the SANS EU forensics summit. And speaking of the summit, the detailed agenda for the SANS EU forensics summit is up, make sure you don’t miss it.
Hey Paul – Did you ever get log2timeline working under Windows? I saw your tweet that you were giving up on Cygwin and trying Active Perl, but when I did that I made even less headway than under Cygwin. The only parts that won’t compile under Cygwin are the GUI and PCAP modules. If there were some way to bypass those, frankly, I couldn’t care less that they weren’t there.
Thoughts?
John