log2timeline Version 0.50 Released
Well, I’ve finally decided to release version 0.50 of log2timeline. Lot of things have changed since version 0.43, although there is only one new input module introduced to the tool, we will get to that later. I just wanted to go over some of the changes made to the tool.
First of all the verification phase has been slightly changed in all input modules to make it slightly more optimized, thus making timescanner run considerably faster on a mounted image. Secondly, which is perhaps the biggest structural change, is the modification of the timestamp object as it is called within the framework. The timestamp object is basically a Perl hash that contains information about the parsed line or timestamp within a file being parsed by the tool. The timestamp object is created by the input module, and then used by the output module to create the appropriate output. The old structure of the timestamp object was too dependent on the mactime output, making it difficult to create new output modules, without repeating some information. So the timestamp object was completely changed, making it independent of any particular output method, making the output modules need to process the data a bit more, but instead make the output a lot more intuitive.
Other very important changes is the addition of code contribution in the tool, for the very first time someone actually contributed code to the tool (something I’m hoping is a new trend, not just an once in the lifetime of the tool). One new input module for parsing the output of both psscan and psscan2 modules in volatility was added by Julien Touche as well as the new timescanner_threaded application that was contributed by Ben Schmitt. One of the new things about version 0.50 was supposed to modify timescanner so it would be a threaded application, making it considerably quicker than the older single-threaded one. With version 0.50 the very first threaded version is released as a proof of concept, and it is not recommended for real use, since it really isn’t any faster than the single-threaded one and sometimes it skips printing some of the timestamps. So do not use it for anything else than to test it, and report bugs. I’m hoping that in the next version we will have this fixed, perhaps it needs to be completely rewritten to work properly, perhaps there are just few bugs that we need to sort out.
Another change that has to be mentioned is the ability of timescanner to choose which modules to use. The older versions had the mentality of either use every input module (timescanner) or just a single one (log2timeline). Version 0.50 introduces the possibility to manually select which modules are loaded up by timescanner and used for the recursive scan. The option -f of timescanner is the key here in choosing the appropriate modules. The option can be used in the following way:
- -f module1,module2,module3
The first option is just to list all the modules that you want to use, comma separated. - -f=-module1,module2,module3
The second method is to use the minus (-) signal to indicate which modules you want to skip. However it should be noted that if you use the – signal you have to prepend it with an equal sign ( -f=-module1). This tells timescanner to load up all available input modules EXCEPT the ones that are listed up. - -f list
The third option is to use a pre-defined lists of modules to use. These pre-defined lists are simply text files that contain the names of the modules to use. The current lists that are included with the tool are:
web chrome, firefox3, firefox2, ff_bookmark, opera, iehistory, iis, winvista chrome, evt, exif, ff_bookmark, firefox3, iehistory, iis, mcafee, opera, oxml, pdf, prefetch, recycler, restore, sol, userassist, win_link, xpfirewall, winxp chrome, evt, exif, ff_bookmark, firefox3, iehistory, iis, mcafee, opera, oxml, pdf, prefetch, recycler, restore, setupapi, sol, userassist, win_link, xpfirewall,
There are several other changes that have been made, so read the full changelog to see a list of all changes. Two new output modules have been added to the tool, TLNX which is simply a TLN output in a simple XML format. The other new module is the BeeDocs, which is a timeline visualization tool that runs on Mac OS X. The output module saves a tab delimited text file that can be imported directly into the tool.
I was also supposed to give a talk about log2timeline at the SANS EU forensic summit, that got canceled because of our lovely volcano here in Iceland. I promised to release my presentation as soon as I would release the new version, so here it is. The presentation contains among other screen shots of the BeeDocs output module as well as some better description of the timestamp object and the inner structure of log2timeline.