log2timeline is a framework for artifact timeline creation and analysis. The main purpose is to provide a single tool to parse various log files and artifacts found on suspect systems (and supporting systems, such as network equipment) and produce a body file that can be used to create a timeline, using tools such as mactime fromTSK, for forensic investigators.

Changelog v0.63

  • Mostly bug fixes, and one new output module (serialize), which is a first attempt at a serialized output module, see changelog for full details.


- ALL modules/files were run through perltidy using the configuration file of dev/perltidy.conf.
- Also several modules have had their documentation updated and code reformed to reflect recent release of a style guide
for the project. perltidy is not enough to enforce that, but at least a start. Rewriting the documentation (pod) is also a vital
portion of making the modules easier to use/understand/develop.
- All libraries within the tool and the main API have been rewritten with this in mind, making 'man' documentation considerably
more useful than it was.
- [SERIALIZE output] JSON::XS used to serialize the timestamp output, a very simple output module that simply stores
- This makes it possible to output using this method and then sorting is simpler since it does not require the module
to read in the csv and change it into something like a hash, since it is already stored as such.
- This migh become the default output of the tool, and then run l2t_process on that output, turning that into CSV
instead of using CSV as default and trying to filter that output.
- This also makes it easier to filter, based on certain attributes, instead of at the line level.
the timestamp object without really doing anything to it. Use that for easy sorting in later stages.
- [WIN7 list] Fixed a small bug in Win7 list file (and win7_noreg). The evt module was loaded up and not the evtx one.
- [FIREFOX3 input] Added a check to see if the SQlite database contains a -wal or -shm (in addition to -journal)
And if it does, then do the same procedure as if it was a -journal (read-only database that gets copied to a temp location)
This was pointed to me by Svante
- [PREFETCH input] Changed the default output so that loaded DLLs are not included by default, unless the -d|--detail
option/parameter is used.
- [MFT input] Inside the verification routine a check is made to see if the magic value is FILE0, it should only be FILE.
Fixed that, making the mft module capable of parsing those $MFT files that do not the standard offset to the fixup array.
- [SAM input] Changed the handling of SAM database data, it did not properly parse the SAM database file in certain cases
due to the keys being prefilled with the CMI-CREATE....
- [NTUSER input] Changed a value check in UserAssist key parsing causing UserAssist keys not properly being parsed.
- [WIN_LINK input] The values for mtime and atime got swapped (the correct order is CAM not CMA like it was)
- [SETUPAPI input] Added a 'detailed_time' check, to reduce the text inside the alert by default, unless detail option used.
- [log2timeline] Updated the man page to reflect updates to the 'detailed_time' changes to setupapi input module.
- [WIN library] Added a mapping to map up all Windows use of timezones to the one used in the DateTime library.
- [win_sysinfo PreProc] Updated the pre-processing library so that it checks if a known transform of a Windows named
timezone information is available and if it is it will compare it to the chosen timezone (and change it if they differ).
- [LOG2TIMELINE] Small bug in the log2timeline library, causing input modules list that has more than one - sign in it
not properly verified.
- [IEHISTORY input] Switched time1 and time2, and started to update the module so it adheres to the newly released, not
yet complete, style guide.
- [EVTX input] Updated the EVTX library to the latest release, version 1.1.1 (written by Andreas Schuster)
- Also changed the 50 attempts to 15 (in case of an error in reading an entry), also only output error
message if debug is turned on.

More information: here

Download log2timeline v0.63

Download Post in PDF Save Post as PDF