Posted by Paul Bobby on March 22, 2010
I have completed my Enscript for identifying and bookmarking data sources that can be parsed with Log2Timeline. The Enscript can be downloaded here.
- No EXIF file gathering. The Exiftool can process a large number of files, and even when limiting the collection to JPG, the enscript method of identifying and verifying the presence of EXIF data is time consuming. The recommendation is to run EXIF Parser under Case Processor, and use the bookmarks generated to supplement your data collection.
- IIS W3C log files are not searched for
- Opera history files are not searched for
- ISA text export files are not searched for
- PCAP files are not searched for
- The XP Firewall log is not searched for.
The enscript, as always, is available as an enscript and not Enpacked, so feel free to modify if you need to add the above formats.
Once the potential data sources are identified and bookmarked, the analyst should manually review each item prior to export. Selecting the bookmark and using Tag Selected Items will ensure the files are tagged under the Entries view. From that point you can Copy/Unerase, Copy Folders, or even create a Logical Evidence File. The easiest method is to use Copy/Unerase and then point Timescanner at that folder.