Well… I was supposed to give a talk at the SANS EU forensics summit about log2timeline but due to our lovely volcano in Eyjafjallajökull (which some people might have heard mentioned lately, although few can really pronounce it correctly) there were no flights to the UK… meaning that although the airport here in Iceland was opened (ironically) I and others couldn’t get to the summit… so it was decided to postpone it until next September.
But anyway, since the EU summit was postponed I wanted to release my slides so that at least people could have seen what I was supposed to talk about… and during the presentation I was about to announce the release of the new version, or version 0.50 of log2timeline. But since the summit was postponed I decided to withhold the new release until I’ve completed few more tweaks and features into it. So I’m still planning to release the new version ASAP, and when I do I will publish the slides as well.
I just wanted to write a short post about the upcoming SANS European Digital Forensics and and Incident Response Summit that will take place in London on the 19th and 20th of April. I encourage everyone that has the chance to attend since there are some very interesting talks, such as; Jesse Kornblum’s talk about fuzzy hashing, Keith Foggon’s discussions about trends and techniques and Lee Whitfield’s Windows Shadow Volumes presentation.
I will also be there, talking about log2timeline. The title of my talk is Mastering the Super Timeline – log2timeline style. After the talk I will participate in a tool talk panel, so there is your chance to pound me with some difficult questions…
The abstract of my talk is:
Traditional timeline analysis can be extremely useful yet it sometimes misses important events that are stored inside files on the suspect system (log files, OS artifacts). By solely depending on traditional filesystem timeline the investigator misses context that is necessary to get a complete and accurate description of the events that took place. To achieve this goal of enlightenment we need to dig deeper and incorporate information found inside artifacts or log files into our timeline analysis and create some sort of super timeline. These artifacts or log files could reside on the suspect system itself or in another device, such as a firewall or a proxy. This talk will focus on the tool log2timeline, which is a framework built to parse different log files and artifacts to produce a super timeline in an easy automatic fashion, designed to assist investigators in their timeline analysis.
So the talk will contain some of the work in my upcoming Gold paper, titled “Mastering the Super Timeline With log2timeline” (did someone notice the similarities between the titles). The paper should be published soon, at least before the summit.