Finally a new version of log2timeline
I’ve been working on a new version for log2timeline for a while now, and I finally managed to complete some testing on the new code. There are some significant changes to the way that log2timeline works in the new version, 0.40. Some of them are:
- All timestamps are now normalized to UTC
- The GUI, glog2timeline, has been updated so that it is feature compatible with log2timeline’s CLI front-end.
- timescanner has been further developed so that it now can parse all the artifacts that log2timeline is capable of.
Full list of the changes can be seen in the changelog.
The reason why the timestamps have now been normalized is the fact that some timestamps are stored as UTC while others use the operating system’s timezone settings. This might not be such a big problem when using the log2timeline CLI, since it only takes one file at a time and produces a body file. However the investigator had to knew that this particular file was either stored in the local timezone or in UTC.
The real problem arises with the use of timescanner. When timescanner is used a directory is recursively searched for all parsable artifacts. This means that the tool parses both the artifacts that have timestamps in UTC as well as those stored in the native timezone settings, and stores them in the same body file. This causes the timestamps to vary and causes problems during analysis. For this reason all timestamps are now normalized so that the output is in UTC. This means however that the investigator now needs to provide the timezone settings of the suspect machine both to the timescanner/glog2timeline/log2timeline tool as well as mactime (if that tool is used to convert the body file to a working timeline).
The new version of the tool has been tested only on a few test cases, so if you find any bugs in it or have comments, don’t hesitate to contact me, kristinn