IR and forensic talk

There has been some discussion lately about some limitations to timescanner in regards to the reading of timestamps in various index.dat files.  More precisely Windows decided that it would store timestamps using different timezones depending on the location of the index.dat, instead of sticking with the good old UTC format.  So for instance the history files (index.dat that is stored in the History.IE5 folder) are stored using local timestamps, while the daily and weekly history files have timestamps that are stored using both UTC and the time zone of the machine in question (all timestamps are still stored as a Windows FILETIME format).

So as a quick fix to the current release (and nightly built) I’ve just excluded the daily and weekly files from the tool timescanner.  But in the coming 0.50 release (keep mentioning that) I’ve included a more intelligent scanner, whereas I take into consideration the location of the file in question and apply the appropriate settings to the timestamps.  So timestamps that are stored in an index.dat file that have different meaning depending on their location will have the correct meaning and description in version 0.50 as they should be.

I will provide examples and more details about this new feature when I will release the tool.

Well… I was supposed to give a talk at the SANS EU forensics summit about log2timeline but due to our lovely volcano in Eyjafjallajökull (which some people might have heard mentioned lately, although few can really pronounce it correctly) there were no flights to the UK… meaning that although the airport here in Iceland was opened (ironically) I and others couldn’t get to the summit… so it was decided to postpone it until next September.

But anyway, since the EU summit was postponed I wanted to release my slides so that at least people could have seen what I was supposed to talk about… and during the presentation I was about to announce the release of the new version, or version 0.50 of log2timeline.  But since the summit was postponed I decided to withhold the new release until I’ve completed few more tweaks and features into it.  So I’m still planning to release the new version ASAP, and when I do I will publish the slides as well.