IR and forensic talk

I know I haven’t been really active on the blog lately (really not written a thing) but I wanted to talk about the new release of log2timeline. So version 0.61 was released few days ago. It mostly contains some bug fixes (at least on my behalf). The only real changes that I did was to add an input module to read the log2timeline CSV format. I also added  a bash_completion script that makes it easier to use the tool in the bash shell.

However this release does hopefully mark a shift in the development of the tool. This release has seven new input modules, six of which that were donated to me. And I’ve got one more module that will be part of the next release. This is at least to me very exciting news, since that means that other people are starting to use the tool and find it to be useful enough to add modules to it, and I hope that this shift in development will continue

I would like to thank an anonymous donator that contributed five input modules and Willi Ballenthin that contributed another module to the tool, his second one. And then also to John Ritchie that contributed a module that parses the Firefox cache files, although it hasn’t yet been distributed with the tool, sent just slightly too late for me to add it in this release. And I hope that people will continue to contribute modules to the tool.

I know that documentation has been lacking for potential developers. I hope that I will find the time soon to create such documentation, making it easier for people to contribute modules. In the mean time, I suggest looking at previously developed modules and to download the source code and look inside the “dev/” directory. There you can find templates for new modules which can assist in the creation. However better documentation is hopefully on its way

I’ve just released a new version of log2timeline, version 0.42.  The new version includes two new input modules, one for extracting timestamps from PDF metadata and another one from McAfee anti-virus log files.  The new version also includes several bug fixes, the full changelog can be read here. The development focus will be to move the tool to version 0.50, which will introduce a new design of how timestamps and related information is handled within the framework, including a shift to TLN as the standard output format, more details can be found inside the roadmap.

log2timeline will also be included in the upcoming 2.0 release of the SIFT (SANS Investigative Forensic Toolkit) workstation, which will be available soon (and yes it is based on Ubuntu now). That way people can enjoy the tool without needing to go through the installation process with all the needed dependencies.

The agenda for the upcoming SANS EU forensics summit is up. I encourage everyone that has the change to attend this summit, there are some greate talks and of course a great change to meet some of the top experts in computer forensics in Europe.  And of course a change to meet with me and get me to implement some feature to log2timeline that you always wished was there, but for some odd reason you didn’t send me an e-mail to request it.