Archive

Archive for November, 2010

Updating log2timeline on the SIFT workstation

November 12th, 2010 2 comments

One of the things I did to make updating and maintaining log2timeline easier was to create an apt repository so that the tool could be easily installed using apt-get. However I hadn’t done so prior to the release of the SIFT workstation, so SIFT was released using a source installation of the tool.  That also meant that some of the dependencies were installed using CPAN, which Debian/Ubuntu doesn’t always like.  And with the release of version 0.50, there were quite a few libraries that had to be installed.

This really pushed me into creating a short HOWTO describing the process of removing the source installation and migrate to the easier to maintain Ubuntu repository.  That way the tool gets updated along with every OS update.  This HOWTO was supposed to be published a long time ago, but somehow got left behind… so finally here it is…

HOWTO upgrade log2timeline on the SIFT workstation

The first thing that has to be done is to add the log2timeline repository to the sources.list file.  Since I haven’t gone through the steps of releasing log2timeline into the main Ubuntu repository, this approach has to be done (at least for now).

echo "deb http://log2timeline.net/pub karmic main contrib non-free"
>> /etc/apt/sources.list

Since all of the Debian/Ubuntu packages get signed with my PGP key you will need to install it in your apt-key chain, otherwise you will get complaints.  So that is the next step.

cd /tmp
/usr/bin/wget http://log2timeline.net/gpg.asc
/usr/bin/apt-key add gpg.asc
/bin/rm gpg.asc

Now you’ve installed my GPG key and added the repository to the sources file. Now it is possible to update the Ubuntu packages by issuing:

apt-get update

Since we’ve already installed the tool we need to remove the log2timeline libraries and at the same time remove some of the libraries that got installed using CPAN and will now be installed using Ubuntu packages (otherwise the system will complain since there will be two instances installed and registered).

rm -rf /usr/local/share/perl/5.10.0/Log2t/
rm -rf /usr/share/perl5/Log2t/
rm /usr/local/bin/log2timeline
rm /usr/local/bin/timescanner
rm /usr/local/bin/update_log2timeline
rm -rf /usr/local/share/perl/5.10.0/XML
rm -f /usr/local/share/perl/5.10.0/Parse/Evtx.pm
rm -rf /usr/local/share/perl/5.10.0/Parse/Evtx

Now we’ve removed all the CPAN installed libraries that could create conflicts and installed the repository to our apt sources.  So the last step on the way would simply be to install the tool

apt-get install log2timeline-perl

This should be it… and to verify when all the installation is completed

log2timeline -V
log2timeline -f list

Automation

And to make things even easier… I’ve created a simple Bash script to automate this. So the process will be even simpler.  Just download the script from the SIFT workstation and run it

wget http://blog.kiddaland.net/dw/migrate_log2timeline_to_apt.sh
chmod 755 migrate_log2timeline_to_apt.sh
sudo ./migrate_log2timeline_to_apt.sh

And everything should be updated and completed.

Update

I updated the path to the script, that was obviously wrong (gave a 404 error).  It should work now

Categories: Forensics Tags:
-->