Updating log2timeline on the SIFT workstation
One of the things I did to make updating and maintaining log2timeline easier was to create an apt repository so that the tool could be easily installed using apt-get. However I hadn’t done so prior to the release of the SIFT workstation, so SIFT was released using a source installation of the tool. That also meant that some of the dependencies were installed using CPAN, which Debian/Ubuntu doesn’t always like. And with the release of version 0.50, there were quite a few libraries that had to be installed.
This really pushed me into creating a short HOWTO describing the process of removing the source installation and migrate to the easier to maintain Ubuntu repository. That way the tool gets updated along with every OS update. This HOWTO was supposed to be published a long time ago, but somehow got left behind… so finally here it is…
HOWTO upgrade log2timeline on the SIFT workstation
The first thing that has to be done is to add the log2timeline repository to the sources.list file. Since I haven’t gone through the steps of releasing log2timeline into the main Ubuntu repository, this approach has to be done (at least for now).
echo "deb http://log2timeline.net/pub karmic main contrib non-free" >> /etc/apt/sources.list
Since all of the Debian/Ubuntu packages get signed with my PGP key you will need to install it in your apt-key chain, otherwise you will get complaints. So that is the next step.
cd /tmp /usr/bin/wget http://log2timeline.net/gpg.asc /usr/bin/apt-key add gpg.asc /bin/rm gpg.asc
Now you’ve installed my GPG key and added the repository to the sources file. Now it is possible to update the Ubuntu packages by issuing:
apt-get update
Since we’ve already installed the tool we need to remove the log2timeline libraries and at the same time remove some of the libraries that got installed using CPAN and will now be installed using Ubuntu packages (otherwise the system will complain since there will be two instances installed and registered).
rm -rf /usr/local/share/perl/5.10.0/Log2t/ rm -rf /usr/share/perl5/Log2t/ rm /usr/local/bin/log2timeline rm /usr/local/bin/timescanner rm /usr/local/bin/update_log2timeline rm -rf /usr/local/share/perl/5.10.0/XML rm -f /usr/local/share/perl/5.10.0/Parse/Evtx.pm rm -rf /usr/local/share/perl/5.10.0/Parse/Evtx
Now we’ve removed all the CPAN installed libraries that could create conflicts and installed the repository to our apt sources. So the last step on the way would simply be to install the tool
apt-get install log2timeline-perl
This should be it… and to verify when all the installation is completed
log2timeline -V log2timeline -f list
Automation
And to make things even easier… I’ve created a simple Bash script to automate this. So the process will be even simpler. Just download the script from the SIFT workstation and run it
wget http://blog.kiddaland.net/dw/migrate_log2timeline_to_apt.sh chmod 755 migrate_log2timeline_to_apt.sh sudo ./migrate_log2timeline_to_apt.sh
And everything should be updated and completed.
Update
I updated the path to the script, that was obviously wrong (gave a 404 error). It should work now
Kristinn – awesome script. Thanks so much for doing this, it saves a lot of time. One thing that users may need to be aware of re: SIFT workstation. The update and install of log2timeline using this script appears to break Autopsy in SIFT, but the fix isn’t too hard:
- at the command line:
# cd /usr/local/src/autopsy
# ./configure
- overwrite the existing config and accept all default answers
- set the “evidence locker” to “/forensics” (this is the currently set evidence locker in SIFT) ***NOTE – this will overwrite that directory and all its contents. If you have cases from the old install of autopsy in this dir, they will be overwritten.***
- once the configuration script is done, copy the resulting autopsy script file to “/usr/local/bin” like so:
# sudo cp autopsy /usr/local/bin/. (say “y” when it asks if you want to overwrite)
That’s it. Autopsy should work again now.
regards and thanks again for such a great tool!
Tom H
Hi
Thank you for this comment, I hadn’t checked the availability of autopsy after running the script…. so I appreciate this comment.