Comments for IR and forensic talk

Comment on log2timeline Version 0.50 Released by Digital Forensics Case Leads: Ann’s Aurora Edition | Portable Digital Video Recorder

Thu, 15 Jul 2010 14:48:53 +0000

[...] Gudjonsson released log2timeline v0.50 on June 30. This release contains a number of improvements. One of the most exciting is the [...]

Comment on log2timeline Version 0.50 Released by Tweets that mention IR and forensic talk » log2timeline Version 0.50 Released -- Topsy.com

Thu, 01 Jul 2010 18:42:57 +0000

[...] This post was mentioned on Twitter by douglas brush, Masafumi Negishi. Masafumi Negishi said: RT log2timeline Version 0.50 Released – http://j.mp/ckVXMx [...]

Comment on Firefox 3 History – revisited by Dyllan

Dyllan — Tue, 08 Jun 2010 10:21:43 +0000

Excellent script, well done & thanks.

Comment on Timeline Analysis 101 by Howard Patterson

Howard Patterson — Wed, 02 Jun 2010 01:54:57 +0000

Thanks for this great intro and commentary on the timeline. I have been using the new SIFT tool, and this helps me figure out the results I’m getting. I have used it on a WinXP and Vista system (both 32-bit).

Comment on Windows Prefetch Directory by kiddi

kiddi — Mon, 26 Apr 2010 12:26:37 +0000

I sent you an e-mail, this should be an easy fix, just need a bit more info.

Comment on Windows Prefetch Directory by John

John — Wed, 21 Apr 2010 22:36:36 +0000

Thanks for the great script. I’m having trouble with the html output though… if I use the -h flag, I get an error:

$ ./read_prefetch.pl -h /tmp/report.html /mnt/analysis/WINDOWS/Prefetch/
Option h is ambiguous (help, html)

When I specify ‘-html’, the script completes dumping to stdout but not creating the html report. Any suggestions? I using Ubuntu 9.10.

Comment on Timeline analysis, links and discussion by John McCash

John McCash — Tue, 13 Apr 2010 17:28:15 +0000

Hey Paul – Did you ever get log2timeline working under Windows? I saw your tweet that you were giving up on Cygwin and trying Active Perl, but when I did that I made even less headway than under Cygwin. The only parts that won’t compile under Cygwin are the GUI and PCAP modules. If there were some way to bypass those, frankly, I couldn’t care less that they weren’t there.
Thoughts?
John

Comment on log2timeline updated by kiddi

kiddi — Fri, 12 Mar 2010 18:40:05 +0000

Hi,
thank you for this comment, I’ve added it in my code already. The log files that I had in my hands had the 03 notion for month that was earlier than October, so obviously they can “swing” both ways

Comment on log2timeline updated by Paul Bobby

Paul Bobby — Fri, 12 Mar 2010 15:52:53 +0000

I changed line 697 to

if( $words[0] =~ m/d{1,2}/d{1,2}/d{4}/ )

the month field can be 1 or 2 characters also

Comment on log2timeline updated by Paul Bobby

Paul Bobby — Thu, 11 Mar 2010 20:07:27 +0000

When running log2timeline with the mcafee option I get the following:

pbobby@ubuntu:~/Documents/log2timeline$ log2timeline -z US/Eastern -f mcafee ./fred/AccessProtectionLog.txt
Start processing file/dir [./fred/AccessProtectionLog.txt] …
Loading output file: mactime
Starting to parse file using format: [mcafee]
This is a plugin of unkown origin. It parses a log file and contains no requirements or
any other relevant options or possibilites, use with care…
————————

File ./fred/AccessProtectionLog.txt is not of the right format.
Error given from format file: The date field is not correctly formed(10/4/2009)

————————

Usage:
log2timeline [OPTIONS] -f FORMAT LOG_FILE/LOG_DIR [--] [FORMAT FILE
OPTIONS]

pbobby@ubuntu:~/Documents/log2timeline$