From Forensics Wiki
Revision as of 03:16, 28 August 2009 by Kiddi (Talk | contribs)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search



log2timeline is designed as a framework for artifact timeline creation and analysis. The main purpose is to provide a single tool to parse various log files and artifacts found on suspect systems (and supporting systems, such as network equipment) and produce a body file that can be used to create a timeline, using tools such as mactime from TSK, for forensic investigators.

The tool is written in Perl for Linux but has been tested using Mac OS X (10.5.7 and 10.5.8). Parts of it should work natively in Windows as well (with ActiveState Perl installed).


log2timeline takes a log file (or a directory) and parses it to produce a body file that can be imported into other tools for timeline analysis. The tool has both a modular based approach to the input file as well as the output file. The current version supports exporting the timeline in a body format readable by TSK's (The SleuthKit) mactime. log2timeline is build as a series of scripts, this one being the front-end, which uses other scripts to actually parse the log files (called format files). The tool is build to be easily extended for anyone that wants to create a new format or an output file.

As noted above the current supported output is the body format used by mactime. For further information about the ouptput format, please read Mactime Body Format. Other output formats can be easily created by the use of an output file. The output file can be set to output in a body format that needs to be imported into another tool for human readable format, or it can be implemented to print the timeline directly in a human readable format.

The tool is build using multiple so called format files, which are stored in the format folder. Each of those format files provide a single format that can be parsed, whether that is a log file or a directory containing some files that need to be parsed.

The purpose of the tool is to provide a single tool to parse various artifacts that are either produced by the suspsect operating system or other systems that might have some logs retaining to the investigation.

Currently Supported Formats

   * Windows Prefetch directory
   * Squid Access Logs (httpd_emulate off)
   * Windows Restore Points
   * Windows Recycle Bin (INFO2)
   * Windows Shortcut files (LNK)
   * UserAssist key of the Windows registry
   * Firefox 3 history
   * Windows IIS W3C log files
   * OpenXML metadata, for metadata extraction from Office 2007 documents
   * ISA server text export. Copy query results to clipboard and into a text file
   * TLN (timeline) body files
   * Mactime body files (to provide an easy method to modify from mactime format to some other)


log2timeline web site
A blog post introducing the tool
Part 1 of the SANS Forensic blog post about the tool
Part 2 of the SANS forensic blog post about the tool