SecureArtisan

My Road to Digital Forensics Excellence

Log2timeline

Posted by Paul Bobby on March 19, 2010

Kristinn has developed a great tool, and it has been discussed in many places. Timeline analysis is becoming the phrase of the year along with APT, and while timeline analysis is commonplace in my caseload, I decided to give this tool a run – mainly because it has an output mechanism to feed the SIMILE timeline widget 🙂

I had to fix a couple of code issues – one with the input mechanism for reading TLN formatted data, and one with the new mcafee.pm file to read McAfee logs. My next goal is to get it to work under Cygwin since for right now I can only get it working under Ubuntu running in a virtual machine.

Encase has the ability to mount evidence using a VFS or PDE mechanism (network share versus emulated disk drive). There are pros and cons in both methods, VFS lets me get to the System Restore points, PDE lets me traverse the tree structure properly when sharing this PDE mounted evidence through SharedFolders in VMWare.

The problem with VFS is that I can’t traverse the tree properly when sharing this mounted file system through VMWare. The problem with PDE is that the System Restore point area is not visible to VMWare.

The issue is still present when mounting using Mount Image Pro.

And I can only get this far if I run VMWare as an administrator. I’m running Vista 64bit, perhaps this issue will go away if I use Windows XP as the host OS. Anyway, that’s too much to change.

So for right now my solution is to identify Log2timeline input files in Encase. Enscript to the rescue. My next post will include this detail. The idea is to traverse the evidence tree and bookmark all files that can be processed by Log2timeline. The investigator then reviews these bookmarks, tags files, and considers exporting to LEF, Copy/Unerasing or Copy Folders as an option to extract data.

Advertisements

3 Responses to “Log2timeline”

  1. […] Paul Bobby actually pointed some bugs to me as well as posting two posts on his blog, one being a discussion of  the issues of mounting the image file using Encase and accessing log2timeline from a virtual […]

  2. Paul,
    I’ve been emailing back and forth with Kristinn regarding use of log2timeline under cygwin. Everything compiles and installs fine except for Gtk2 and pcap, so if you remove the lib/log2t/input/pcap.pm file from your log2timeline installation, and restrict yourself to the command line interface, everything works great. How often do you need to timeline packet dumps in most cases anyway? You can also access the restore point folders just fine if you’re mounting the disk via the EnCase PDE.
    John

  3. Paul Bobby said

    Hmm I’ll have to try accessing System Restore on an XP box – under Vista, even when executed as administrator, I couldn’t navigate to the restore point folder.

    Thanks for the tip on the pcap.pm stuff – I’ll try that now.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

 
%d bloggers like this: