SecureArtisan

My Road to Digital Forensics Excellence

Log2Timeline-DataGather

Posted by Paul Bobby on March 22, 2010

I have completed my Enscript for identifying and bookmarking data sources that can be parsed with Log2Timeline. The Enscript can be downloaded here.

Some limitations:

  1. No EXIF file gathering. The Exiftool can process a large number of files, and even when limiting the collection to JPG, the enscript method of identifying and verifying the presence of EXIF data is time consuming. The recommendation is to run EXIF Parser under Case Processor, and use the bookmarks generated to supplement your data collection.
  2. IIS W3C log files are not searched for
  3. Opera history files are not searched for
  4. ISA text export files are not searched for
  5. PCAP files are not searched for
  6. The XP Firewall log is not searched for.

The enscript, as always, is available as an enscript and not Enpacked, so feel free to modify if you need to add the above formats.

Once the potential data sources are identified and bookmarked, the analyst should manually review each item prior to export. Selecting the bookmark and using Tag Selected Items will ensure the files are tagged under the Entries view. From that point you can Copy/Unerase, Copy Folders, or even create a Logical Evidence File. The easiest method is to use Copy/Unerase and then point Timescanner at that folder.

About these ads

2 Responses to “Log2Timeline-DataGather”

  1. Brian said

    Paul, I am interested in using this script. What is the exact procedure to use it? Am I blue checking the files I want examined by the script or are there predetermined files in the script that it will look at? Also how do you tell the script what time frame you are interested in or does it grab everything?

  2. Paul Bobby said

    The script grabs everything and bookmarks them. Then you manually review the bookmarks to pick which files you really are interested in exporting to LEF. For example, Log2Timeline can parse UserAssist information from an NTUser.dat file. So this script bookmarks all NTUSER.DAT files, including those from the restore points. But you may only be interested in NTUSER.DAT for a particular user, so you’ll manually select them from bookmarks for the corresponding SID.
    I could definitely put more logic up front, but I took the easy way out :)

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

 
Follow

Get every new post delivered to your Inbox.

%d bloggers like this: