Difference between pages "Log2timeline" and "VMWare Virtual Disk Format (VMDK)"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
(Currently Supported Input Modules)
 
(Image types)
 
Line 1: Line 1:
==log2timeline==
+
{{expand}}
  
log2timeline is designed as a framework for artifact timeline creation and analysis. The main purpose is to provide a single tool to parse various log files and artifacts found on suspect systems (and supporting systems, such as network equipment) and produce a body file that can be used to create a timeline, using tools such as mactime from TSK, for forensic investigators.
+
== Image types ==
 +
There are multiple types of VMWare Virtual Disk Format (VMDK) data files:
 +
* 2GbMaxExtentFlat (twoGbMaxExtentFlat); descriptor file (name.vmdk) with RAW data extent files (name-f###.vmdk). This image type is basically a [[Raw Image Format|split RAW image]].
 +
* 2GbMaxExtentSparse (twoGbMaxExtentSparse); descriptor file (name.vmdk) with VMDK sparse data extent files (name-s###.vmdk)
 +
* monolithicSparse; VMDK sparse data extent files (name.vmdk) which contains the descriptor file data.
  
The tool is written in Perl for Linux but has been tested using Mac OS X (10.5.7 and 10.5.8). Parts of it should work natively in Windows as well (with ActiveState Perl installed).
+
== Descriptor file ==
 +
The descriptor file defines how and where the data of the VMDK image is stored. The data is stored in extent data files.
  
==Description==
+
== Extent file types ==
log2timeline takes a log file (or a directory) and parses it to produce a body file that can be imported into other tools for timeline analysis. The tool has both a modular based approach to the input file as well as the output file. The current version supports exporting the timeline in a body format readable by TSK's (The SleuthKit) mactime. log2timeline is build as a series of scripts, this one being the front-end, which uses other scripts to actually parse the log files (called format files). The tool is build to be easily extended for anyone that wants to create a new format or an output file.
+
There are multiple types extent files:
 +
* RAW data file or device
 +
* VMDK sparse data file
 +
* COWD sparse data file
  
As noted above the current supported output is the body format used by mactime. For further information about the ouptput format, please read [http://wiki.sleuthkit.org/index.php?title=Body_file Mactime Body Format]. Other output formats can be easily created by the use of an output file. The output file can be set to output in a body format that needs to be imported into another tool for human readable format, or it can be implemented to print the timeline directly in a human readable format.
+
== External Links ==
 +
* [http://www.vmware.com/support/developer/vddk/vmdk_50_technote.pdf?src=vmdk Virtual Disk Format 5.0], by [[VMWare]]
  
The tool is build using multiple so called format files, which are stored in the format folder. Each of those format files provide a single format that can be parsed, whether that is a log file or a directory containing some files that need to be parsed.
+
[[Category:File Formats]]
 
+
The purpose of the tool is to provide a single tool to parse various artifacts that are either produced by the suspsect operating system or other systems that might have some logs retaining to the investigation.
+
 
+
==Currently Supported Input Modules==
+
 
+
The currently supported input modules (as of version 0.51 nightly build (20102608)) are:
+
 
+
* '''apache2_access''' - Parse the content of a Apache2 access log file
+
* '''apache2_error''' - Parse the content of a Apache2 error log file
+
* '''chrome''' - Parse the content of a Chrome history file
+
* '''evt''' - Parse the content of a Windows 2k/XP/2k3 Event Log
+
* '''evtx''' - Parse the content of a Windows Event Log File (EVTX)
+
* '''exif''' - Extract metadata information from files using ExifTool
+
* '''ff_bookmark''' - Parse the content of a Firefox bookmark file
+
* '''firefox2''' - Parse the content of a Firefox 2 browser history
+
* '''firefox3''' - Parse the content of a Firefox 3 history file
+
* '''iehistory''' - Parse the content of an index.dat file containg IE history
+
* '''iis''' - Parse the content of a IIS W3C log file
+
* '''isatxt''' - Parse the content of a ISA text export log file
+
* '''mactime''' - Parse the content of a body file in the mactime format
+
* '''mcafee''' - Parse the content of a log file
+
* '''opera''' - Parse the content of an Opera's global history file
+
* '''oxml''' - Parse the content of an OpenXML document (Office 2007 documents)
+
* '''pcap''' - Parse the content of a PCAP file
+
* '''pdf''' - Parse some of the available PDF document metadata
+
* '''prefetch''' - Parse the content of the Prefetch directory
+
* '''recycler''' - Parse the content of the recycle bin directory
+
* '''restore''' - Parse the content of the restore point directory
+
* '''setupapi''' - Parse the content of the SetupAPI log file in Windows XP
+
* '''sol''' - Parse the content of a .sol (LSO) or a Flash cookie file
+
* '''squid''' - Parse the content of a Squid access log (http_emulate off)
+
* '''syslog''' - Parse the content of a Linux Syslog log file
+
* '''tln''' - Parse the content of a body file in the TLN format
+
* '''userassist''' - Parses the NTUSER.DAT registry file
+
* '''volatility''' - Parse the content of a Volatility output files (psscan2, sockscan2, ...)
+
* '''win_link''' - Parse the content of a Windows shortcut file (or a link file)
+
* '''wmiprov''' - Parse the content of the wmiprov log file
+
* '''xpfirewall''' - Parse the content of a XP Firewall log
+
 
+
==Links==
+
; [http://log2timeline.net log2timeline web site]
+
; [http://www.sans.org/reading_room/whitepapers/logging/mastering-super-timeline-log2timeline_33438 SANS GCFA Gold paper about the tool]
+
; [http://blogs.sans.org/computer-forensics/2010/03/19/digital-forensic-sifting-super-timeline-analysis-and-creation/ A quick run on how to create a super timeline]
+
; [http://blog.kiddaland.net/2009/08/log2timeline-artifact-timeline-analysis-part-i/ A blog post introducing the tool]
+
; [https://blogs.sans.org/computer-forensics/2009/08/13/artifact-timeline-creation-and-analysis-tool-release-log2timeline/ Part 1 of the SANS Forensic blog post about the tool]
+
; [https://blogs.sans.org/computer-forensics/2009/08/14/artifact-timeline-creation-and-analysis-part-2/ Part 2 of the SANS forensic blog post about the tool]
+

Revision as of 10:57, 22 September 2012

Information icon.png

Please help to improve this article by expanding it.
Further information might be found on the discussion page.

Image types

There are multiple types of VMWare Virtual Disk Format (VMDK) data files:

  • 2GbMaxExtentFlat (twoGbMaxExtentFlat); descriptor file (name.vmdk) with RAW data extent files (name-f###.vmdk). This image type is basically a split RAW image.
  • 2GbMaxExtentSparse (twoGbMaxExtentSparse); descriptor file (name.vmdk) with VMDK sparse data extent files (name-s###.vmdk)
  • monolithicSparse; VMDK sparse data extent files (name.vmdk) which contains the descriptor file data.

Descriptor file

The descriptor file defines how and where the data of the VMDK image is stored. The data is stored in extent data files.

Extent file types

There are multiple types extent files:

  • RAW data file or device
  • VMDK sparse data file
  • COWD sparse data file

External Links