|
|
| Line 1: |
Line 1: |
| − | ==log2timeline==
| + | {{expand}} |
| | | | |
| − | log2timeline is designed as a framework for artifact timeline creation and analysis. The main purpose is to provide a single tool to parse various log files and artifacts found on suspect systems (and supporting systems, such as network equipment) and produce a body file that can be used to create a timeline, using tools such as mactime from TSK, for forensic investigators.
| + | == Image types == |
| | + | There are multiple types of VMWare Virtual Disk Format (VMDK) data files: |
| | + | * 2GbMaxExtentFlat (twoGbMaxExtentFlat); descriptor file (name.vmdk) with RAW data extent files (name-f###.vmdk). This image type is basically a [[Raw Image Format|split RAW image]]. |
| | + | * 2GbMaxExtentSparse (twoGbMaxExtentSparse); descriptor file (name.vmdk) with VMDK sparse data extent files (name-s###.vmdk) |
| | + | * monolithicSparse; VMDK sparse data extent files (name.vmdk) which contains the descriptor file data. |
| | | | |
| − | The tool is written in Perl for Linux but has been tested using Mac OS X (10.5.7 and 10.5.8). Parts of it should work natively in Windows as well (with ActiveState Perl installed). | + | == Descriptor file == |
| | + | The descriptor file defines how and where the data of the VMDK image is stored. The data is stored in extent data files. |
| | | | |
| − | ==Description== | + | == Extent file types == |
| − | log2timeline takes a log file (or a directory) and parses it to produce a body file that can be imported into other tools for timeline analysis. The tool has both a modular based approach to the input file as well as the output file. The current version supports exporting the timeline in a body format readable by TSK's (The SleuthKit) mactime. log2timeline is build as a series of scripts, this one being the front-end, which uses other scripts to actually parse the log files (called format files). The tool is build to be easily extended for anyone that wants to create a new format or an output file.
| + | There are multiple types extent files: |
| | + | * RAW data file or device |
| | + | * VMDK sparse data file |
| | + | * COWD sparse data file |
| | | | |
| − | As noted above the current supported output is the body format used by mactime. For further information about the ouptput format, please read [http://wiki.sleuthkit.org/index.php?title=Body_file Mactime Body Format]. Other output formats can be easily created by the use of an output file. The output file can be set to output in a body format that needs to be imported into another tool for human readable format, or it can be implemented to print the timeline directly in a human readable format.
| + | == External Links == |
| | + | * [http://www.vmware.com/support/developer/vddk/vmdk_50_technote.pdf?src=vmdk Virtual Disk Format 5.0], by [[VMWare]] |
| | | | |
| − | The tool is build using multiple so called format files, which are stored in the format folder. Each of those format files provide a single format that can be parsed, whether that is a log file or a directory containing some files that need to be parsed.
| + | [[Category:File Formats]] |
| − | | + | |
| − | The purpose of the tool is to provide a single tool to parse various artifacts that are either produced by the suspsect operating system or other systems that might have some logs retaining to the investigation.
| + | |
| − | | + | |
| − | ==Currently Supported Input Modules==
| + | |
| − | | + | |
| − | The currently supported input modules (as of version 0.51 nightly build (20102608)) are:
| + | |
| − | | + | |
| − | * '''apache2_access''' - Parse the content of a Apache2 access log file
| + | |
| − | * '''apache2_error''' - Parse the content of a Apache2 error log file
| + | |
| − | * '''chrome''' - Parse the content of a Chrome history file
| + | |
| − | * '''evt''' - Parse the content of a Windows 2k/XP/2k3 Event Log
| + | |
| − | * '''evtx''' - Parse the content of a Windows Event Log File (EVTX)
| + | |
| − | * '''exif''' - Extract metadata information from files using ExifTool
| + | |
| − | * '''ff_bookmark''' - Parse the content of a Firefox bookmark file
| + | |
| − | * '''firefox2''' - Parse the content of a Firefox 2 browser history
| + | |
| − | * '''firefox3''' - Parse the content of a Firefox 3 history file
| + | |
| − | * '''iehistory''' - Parse the content of an index.dat file containg IE history
| + | |
| − | * '''iis''' - Parse the content of a IIS W3C log file
| + | |
| − | * '''isatxt''' - Parse the content of a ISA text export log file
| + | |
| − | * '''mactime''' - Parse the content of a body file in the mactime format
| + | |
| − | * '''mcafee''' - Parse the content of a log file
| + | |
| − | * '''opera''' - Parse the content of an Opera's global history file
| + | |
| − | * '''oxml''' - Parse the content of an OpenXML document (Office 2007 documents)
| + | |
| − | * '''pcap''' - Parse the content of a PCAP file
| + | |
| − | * '''pdf''' - Parse some of the available PDF document metadata
| + | |
| − | * '''prefetch''' - Parse the content of the Prefetch directory
| + | |
| − | * '''recycler''' - Parse the content of the recycle bin directory
| + | |
| − | * '''restore''' - Parse the content of the restore point directory
| + | |
| − | * '''setupapi''' - Parse the content of the SetupAPI log file in Windows XP
| + | |
| − | * '''sol''' - Parse the content of a .sol (LSO) or a Flash cookie file
| + | |
| − | * '''squid''' - Parse the content of a Squid access log (http_emulate off)
| + | |
| − | * '''syslog''' - Parse the content of a Linux Syslog log file
| + | |
| − | * '''tln''' - Parse the content of a body file in the TLN format
| + | |
| − | * '''userassist''' - Parses the NTUSER.DAT registry file
| + | |
| − | * '''volatility''' - Parse the content of a Volatility output files (psscan2, sockscan2, ...)
| + | |
| − | * '''win_link''' - Parse the content of a Windows shortcut file (or a link file)
| + | |
| − | * '''wmiprov''' - Parse the content of the wmiprov log file
| + | |
| − | * '''xpfirewall''' - Parse the content of a XP Firewall log
| + | |
| − | | + | |
| − | ==Links==
| + | |
| − | ; [http://log2timeline.net log2timeline web site]
| + | |
| − | ; [http://www.sans.org/reading_room/whitepapers/logging/mastering-super-timeline-log2timeline_33438 SANS GCFA Gold paper about the tool]
| + | |
| − | ; [http://blogs.sans.org/computer-forensics/2010/03/19/digital-forensic-sifting-super-timeline-analysis-and-creation/ A quick run on how to create a super timeline]
| + | |
| − | ; [http://blog.kiddaland.net/2009/08/log2timeline-artifact-timeline-analysis-part-i/ A blog post introducing the tool]
| + | |
| − | ; [https://blogs.sans.org/computer-forensics/2009/08/13/artifact-timeline-creation-and-analysis-tool-release-log2timeline/ Part 1 of the SANS Forensic blog post about the tool]
| + | |
| − | ; [https://blogs.sans.org/computer-forensics/2009/08/14/artifact-timeline-creation-and-analysis-part-2/ Part 2 of the SANS forensic blog post about the tool]
| + | |
The descriptor file defines how and where the data of the VMDK image is stored. The data is stored in extent data files.
