It’s been a while since my last post, and several things have happened since then…. for instance the release of version 0.52 of log2timeline. I will publish another blog post detailing the difference between version 0.51 and 0.52, such as the use of l2t_process a new tool released alongside log2timeline.
I will also be talking at the upcoming SANS Forensics and Incident Response Summit in Austin, Texas. I’m going to be discussing the release of version 0.60 of log2timeline (stay tuned), which I’m working hard at getting ready (the reason for the few blog posts lately). There will be a lot of great talks at the summit, so I urge you to check it out…
And the nominees for the Forensic4Cast awards has been posted, and for some obscure reason someone decided to nominate log2timeline as the best computer forensics software. I’m honored that the tool got nominated, something that was really a surprise to me, and given the competition (FTK and Encase) the tool is really up against giants in the field.
Well, its been quite a while since my last post, summer vacation coupled with paternity leave gave me a pleasant absence from the computer screen. But I’m back now, and surprisingly my gold paper got finally been published. The title of the paper is “Mastering the Super Timeline With log2timeline”, and for those that carefully read the title it describes my little pet project of log2timeline and timeline analysis in general.
And I’m about to give a talk at the SANS EU Forensics summit taking place in London on the 8th and 9th of September. Well unless some unnamed volcanoes here in Iceland start to protest again… it will take place then.
I’ve just released a new version of log2timeline, version 0.42. The new version includes two new input modules, one for extracting timestamps from PDF metadata and another one from McAfee anti-virus log files. The new version also includes several bug fixes, the full changelog can be read here. The development focus will be to move the tool to version 0.50, which will introduce a new design of how timestamps and related information is handled within the framework, including a shift to TLN as the standard output format, more details can be found inside the roadmap.
log2timeline will also be included in the upcoming 2.0 release of the SIFT (SANS Investigative Forensic Toolkit) workstation, which will be available soon (and yes it is based on Ubuntu now). That way people can enjoy the tool without needing to go through the installation process with all the needed dependencies.
The agenda for the upcoming SANS EU forensics summit is up. I encourage everyone that has the change to attend this summit, there are some greate talks and of course a great change to meet some of the top experts in computer forensics in Europe. And of course a change to meet with me and get me to implement some feature to log2timeline that you always wished was there, but for some odd reason you didn’t send me an e-mail to request it.
I just wanted to write a short post about the upcoming SANS European Digital Forensics and and Incident Response Summit that will take place in London on the 19th and 20th of April. I encourage everyone that has the chance to attend since there are some very interesting talks, such as; Jesse Kornblum’s talk about fuzzy hashing, Keith Foggon’s discussions about trends and techniques and Lee Whitfield’s Windows Shadow Volumes presentation.
I will also be there, talking about log2timeline. The title of my talk is Mastering the Super Timeline – log2timeline style. After the talk I will participate in a tool talk panel, so there is your chance to pound me with some difficult questions…
The abstract of my talk is:
Traditional timeline analysis can be extremely useful yet it sometimes misses important events that are stored inside files on the suspect system (log files, OS artifacts). By solely depending on traditional filesystem timeline the investigator misses context that is necessary to get a complete and accurate description of the events that took place. To achieve this goal of enlightenment we need to dig deeper and incorporate information found inside artifacts or log files into our timeline analysis and create some sort of super timeline. These artifacts or log files could reside on the suspect system itself or in another device, such as a firewall or a proxy. This talk will focus on the tool log2timeline, which is a framework built to parse different log files and artifacts to produce a super timeline in an easy automatic fashion, designed to assist investigators in their timeline analysis.
So the talk will contain some of the work in my upcoming Gold paper, titled “Mastering the Super Timeline With log2timeline” (did someone notice the similarities between the titles). The paper should be published soon, at least before the summit.