Difference between pages "Log2timeline" and "Executable"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
(Links)
 
(DBG, PDB)
 
Line 1: Line 1:
==log2timeline==
+
{{expand}}
  
log2timeline is designed as a framework for artifact timeline creation and analysis. The main purpose is to provide a single tool to parse various log files and artifacts found on suspect systems (and supporting systems, such as network equipment) and produce a body file that can be used to create a timeline, using tools such as mactime from TSK, for forensic investigators.
+
An executable file is used to perform tasks according to encoded instructions. Executable files are sometimes also referred to as binaries which technically can be considered a sub class of executable files.
  
The tool is written in Perl for Linux but has been tested using Mac OS X (10.5.7 and 10.5.8). Parts of it should work natively in Windows as well (with ActiveState Perl installed).
+
There are multiple families of executable files:
 +
* Scripts; e.g. shell scripts, batch scripts (.bat)
 +
* DOS, Windows executable files (.exe) which can be of various formats like: MZ, PE/COFF, NE
 +
* ELF
 +
* Mach-O
  
==Description==
+
== External Links ==
log2timeline takes a log file (or a directory) and parses it to produce a body file that can be imported into other tools for timeline analysis. The tool has both a modular based approach to the input file as well as the output file. The default behavior of the current version is to export the timeline in a body format readable by TSK's (The SleuthKit) [http://wiki.sleuthkit.org/index.php?title=Body_file mactime] (although this can be easily changed). log2timeline is build as a series of scripts, this one being the front-end, which uses other scripts to actually parse the log files (called modules). The tool is build to be easily extended for anyone that wants to create a new module.
+
* [http://en.wikipedia.org/wiki/Executable Wikipedia: Executable]
  
The tool contains (current version of 0.51 nightly build (20102608)) three front-ends:
+
=== MZ, PE/COFF ===
* '''log2timeline''' - The main front-end. A tool capable of parsing a single log file/directory pointed to the tool using a selected input module.
+
* [http://en.wikipedia.org/wiki/Portable_Executable Wikipedia: Portable Executable]
* '''timescanner''' - A recursive front-end capable of parsing a directory passed to the tool and recursively go through each and every file/dir and try to parse it with every or selected input modules (to provide an automatic method of creating a super timeline).
+
* [http://msdn.microsoft.com/en-us/windows/hardware/gg463119.aspx Microsoft PE and COFF Specification]
* '''glog2timeline''' - A simple GUI front-end, with similar capabilities as log2timeline (the main front-end)
+
* [https://googledrive.com/host/0B3fBvzttpiiSd1dKQVU0WGVESlU/Executable%20(EXE)%20file%20format.pdf MZ, PE-COFF executable file format (EXE)], by the [[libexe|libexe project]], October 2011
 +
* [http://seclists.org/fulldisclosure/2013/Oct/157 The Internal of Reloc .text], Full Disclosure Mailing list, October 21, 2013
  
==Currently Supported Input Modules==
+
=== DBG, PDB ===
 +
* [http://en.wikipedia.org/wiki/Program_database Wikipedia: Program database]
 +
* [http://support.microsoft.com/kb/121366 Description of the .PDB files and of the .DBG files], by [[Microsoft]]
 +
* [http://msdn.microsoft.com/en-us/library/ff553493(v=vs.85).aspx Public and Private Symbols], by [[Microsoft]]
 +
* [http://msdn.microsoft.com/en-us/library/windows/desktop/ms679293(v=vs.85).aspx DbgHelp Structures], by [[Microsoft]]
 +
* [https://code.google.com/p/pdbparse/wiki/StreamDescriptions Stream Descriptions], [https://code.google.com/p/pdbparse/ pdbparse project]
 +
* [http://moyix.blogspot.ch/2007/10/types-stream.html The Types Stream], by [[Brendan Dolan-Gavitt]], October 4, 2007
 +
* [https://code.google.com/p/google-breakpad/source/browse/trunk/src/google_breakpad/common/minidump_format.h minidump_format.h]
  
The currently supported input modules (as of version 0.51 nightly build (20102608)) are:
+
=== Mach-O ===
 +
* [http://en.wikipedia.org/wiki/Mach-O Wikipedia: Mach-O]
  
* '''apache2_access''' - Parse the content of a Apache2 access log file
+
== Tools ==
* '''apache2_error''' - Parse the content of a Apache2 error log file
+
* '''chrome''' - Parse the content of a Chrome history file
+
* '''evt''' - Parse the content of a [[Windows Event Log (EVT)|Windows 2k/XP/2k3 Event Log]]
+
* '''evtx''' - Parse the content of a [[Windows XML Event Log (EVTX)]] file
+
* '''exif''' - Extract metadata information from files using ExifTool
+
* '''ff_bookmark''' - Parse the content of a Firefox bookmark file
+
* '''firefox2''' - Parse the content of a Firefox 2 browser history
+
* '''firefox3''' - Parse the content of a Firefox 3 history file
+
* '''iehistory''' - Parse the content of an index.dat file containg IE history
+
* '''iis''' - Parse the content of a IIS W3C log file
+
* '''isatxt''' - Parse the content of a ISA text export log file
+
* '''mactime''' - Parse the content of a body file in the mactime format
+
* '''mcafee''' - Parse the content of a log file
+
* '''opera''' - Parse the content of an Opera's global history file
+
* '''oxml''' - Parse the content of an OpenXML document (Office 2007 documents)
+
* '''pcap''' - Parse the content of a PCAP file
+
* '''pdf''' - Parse some of the available PDF document metadata
+
* '''prefetch''' - Parse the content of the Prefetch directory
+
* '''recycler''' - Parse the content of the recycle bin directory
+
* '''restore''' - Parse the content of the restore point directory
+
* '''setupapi''' - Parse the content of the SetupAPI log file in Windows XP
+
* '''sol''' - Parse the content of a .sol (LSO) or a Flash cookie file
+
* '''squid''' - Parse the content of a Squid access log (http_emulate off)
+
* '''syslog''' - Parse the content of a Linux Syslog log file
+
* '''tln''' - Parse the content of a body file in the TLN format
+
* '''userassist''' - Parses the NTUSER.DAT registry file
+
* '''volatility''' - Parse the content of a Volatility output files (psscan2, sockscan2, ...)
+
* '''win_link''' - Parse the content of a Windows shortcut file (or a link file)
+
* '''wmiprov''' - Parse the content of the wmiprov log file
+
* '''xpfirewall''' - Parse the content of a XP Firewall log
+
  
 +
=== MZ, PE/COFF ===
 +
* [https://code.google.com/p/pefile/ pefile], multi-platform Python module to read and work with Portable Executable (aka PE) files
  
==Currently Supported Output Modules==
+
=== PDB ===
 
+
* [https://code.google.com/p/pdbparse/ pdbparse], Open-source parser for Microsoft debug symbols (PDB files)
The currently supported output modules (as of version 0.51 nightly build (20102608)) are:
+
 
+
* '''beedocs''' - Output timeline using tab-delimited file to import into BeeDocs
+
* '''cef''' - Output timeline using the ArcSight Commen Event Format (CEF)
+
* '''cftl''' - Output timeline in a XML format that can be read by CFTL
+
* '''csv''' - Output timeline using CSV (Comma Separated Value) file
+
* '''mactime''' - Output timeline using mactime format
+
* '''mactime_l''' - Output timeline using legacy version of the mactime format (version 1.x and 2.x)
+
* '''simile''' - Output timeline in a XML format that can be read by a SIMILE widget
+
* '''sqlite''' - Output timeline into a SQLite database
+
* '''tab''' - Output timeline using TDV (Tab Delimited Value) file
+
* '''tln''' - Output timeline using H. Carvey's TLN format
+
* '''tlnx''' - Output timeline using H. Carvey's TLN format in XML
+
 
+
 
+
== External Links ==
+
; [http://log2timeline.net log2timeline web site]
+
; [http://www.sans.org/reading_room/whitepapers/logging/mastering-super-timeline-log2timeline_33438 SANS GCFA Gold paper about the tool]
+
; [http://blogs.sans.org/computer-forensics/2010/03/19/digital-forensic-sifting-super-timeline-analysis-and-creation/ A quick run on how to create a super timeline]
+
; [http://blog.kiddaland.net/?s=log2timeline Blog posts about the tool]
+
; [https://blogs.sans.org/computer-forensics/2009/08/13/artifact-timeline-creation-and-analysis-tool-release-log2timeline/ Part 1 of the SANS Forensic blog post about the tool]
+
; [https://blogs.sans.org/computer-forensics/2009/08/14/artifact-timeline-creation-and-analysis-part-2/ Part 2 of the SANS forensic blog post about the tool]
+

Revision as of 05:18, 2 November 2013

Information icon.png

Please help to improve this article by expanding it.
Further information might be found on the discussion page.

An executable file is used to perform tasks according to encoded instructions. Executable files are sometimes also referred to as binaries which technically can be considered a sub class of executable files.

There are multiple families of executable files:

  • Scripts; e.g. shell scripts, batch scripts (.bat)
  • DOS, Windows executable files (.exe) which can be of various formats like: MZ, PE/COFF, NE
  • ELF
  • Mach-O

External Links

MZ, PE/COFF

DBG, PDB

Mach-O

Tools

MZ, PE/COFF

  • pefile, multi-platform Python module to read and work with Portable Executable (aka PE) files

PDB

  • pdbparse, Open-source parser for Microsoft debug symbols (PDB files)