Difference between pages "Log2timeline" and "SQLite database format"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
(Currently Supported Formats)
 
(Use Cases)
 
Line 1: Line 1:
==log2timeline==
+
{{expand}}
  
log2timeline is designed as a framework for artifact timeline creation and analysis. The main purpose is to provide a single tool to parse various log files and artifacts found on suspect systems (and supporting systems, such as network equipment) and produce a body file that can be used to create a timeline, using tools such as mactime from TSK, for forensic investigators.
+
SQLite databases are used by many programs including several forensics tools, e.g. [[Autopsy]] 3.
 +
SQLite 3 is current and older SQLite packages cannot use sqlite3 databases so use sqlite3 tools.
  
The tool is written in Perl for Linux but has been tested using Mac OS X (10.5.7 and 10.5.8). Parts of it should work natively in Windows as well (with ActiveState Perl installed).
+
== SQLite3 ==
  
==Description==
+
SQLite version 3 uses a page-based storage where the pages are used for various types of data e.g. there are:
log2timeline takes a log file (or a directory) and parses it to produce a body file that can be imported into other tools for timeline analysis. The tool has both a modular based approach to the input file as well as the output file. The current version supports exporting the timeline in a body format readable by TSK's (The SleuthKit) mactime. log2timeline is build as a series of scripts, this one being the front-end, which uses other scripts to actually parse the log files (called format files). The tool is build to be easily extended for anyone that wants to create a new format or an output file.
+
* lock-byte pages
 +
* freelist pages
 +
** freelist trunk pages
 +
** freelist leaf pages
 +
* B-tree pages
 +
** table B-tree interior pages
 +
** table B-tree leaf pages
 +
** index B-tree interior pages
 +
** index B-tree leaf pages
 +
* payload overflow pages
 +
* pointer map pages
  
As noted above the current supported output is the body format used by mactime. For further information about the ouptput format, please read [http://wiki.sleuthkit.org/index.php?title=Body_file Mactime Body Format]. Other output formats can be easily created by the use of an output file. The output file can be set to output in a body format that needs to be imported into another tool for human readable format, or it can be implemented to print the timeline directly in a human readable format.
+
=== Write-Ahead Log (WAL) ===
 +
The default method by which SQLite implements atomic commit and rollback is a rollback journal. In version 3.7.0 a "Write-Ahead Log" option was added.
  
The tool is build using multiple so called format files, which are stored in the format folder. Each of those format files provide a single format that can be parsed, whether that is a log file or a directory containing some files that need to be parsed.
+
== Temporary sqlite files ==
 +
Seen in e.g.
 +
<pre>
 +
/Users/%USERNAME%/AppData/Local/Temp/etilqs_%RANDOM%
 +
</pre>
  
The purpose of the tool is to provide a single tool to parse various artifacts that are either produced by the suspsect operating system or other systems that might have some logs retaining to the investigation.
+
Where "etilqs" is "sqlite" in reverse
  
==Currently Supported Input Modules==
+
== Use Cases ==
 +
=== Web Browser Data ===
 +
[[Mozilla Firefox]] and [[Google Chrome]] both use SQLite version 3 databases for user data such as history, downloaded files.
  
The currently supported input modules (as of version 0.51 nightly build (20102608)) are:
+
=== Mobile OS ===
 +
[[Google Android]] and [[Apple iOS]] use SQLite3 databases for many system applications. Phone data including calls, messages, and credentials are all stored in SQLite3.
  
* apache2_access - Parse the content of a Apache2 access log file
+
== External Links ==
* apache2_error - Parse the content of a Apache2 error log file
+
* [http://sqlite.org/fileformat2.html The SQLite Database File Format], by the [[SQLite|SQLite project]]
* chrome - Parse the content of a Chrome history file
+
* [http://sqlite.org/wal.html Write-Ahead Logging], by the [[SQLite|SQLite project]]
* evt - Parse the content of a Windows 2k/XP/2k3 Event Log
+
* [http://forensicsfromthesausagefactory.blogspot.com/2011/04/carving-sqlite-databases-from.html Carving SQLite databases from unallocated clusters], by Richard Drinkwater, April 27, 2011
* evtx - Parse the content of a Windows Event Log File (EVTX)
+
* [http://linuxsleuthing.blogspot.ch/2013/09/recovering-data-from-deleted-sqlite.html Recovering Data from Deleted SQLite Records: Redux], by [[John Lehr]], September 13, 2013
* exif - Extract metadata information from files using ExifTool
+
* ff_bookmark - Parse the content of a Firefox bookmark file
+
* firefox2 - Parse the content of a Firefox 2 browser history
+
* firefox3 - Parse the content of a Firefox 3 history file
+
* iehistory - Parse the content of an index.dat file containg IE history
+
* iis - Parse the content of a IIS W3C log file
+
* isatxt - Parse the content of a ISA text export log file
+
* mactime - Parse the content of a body file in the mactime format
+
* mcafee - Parse the content of a log file
+
* opera - Parse the content of an Opera's global history file
+
* oxml - Parse the content of an OpenXML document (Office 2007 documents)
+
* pcap - Parse the content of a PCAP file
+
* pdf - Parse some of the available PDF document metadata
+
* prefetch - Parse the content of the Prefetch directory
+
* recycler - Parse the content of the recycle bin directory
+
* restore - Parse the content of the restore point directory
+
* setupapi - Parse the content of the SetupAPI log file in Windows XP
+
* sol - Parse the content of a .sol (LSO) or a Flash cookie file
+
* squid - Parse the content of a Squid access log (http_emulate off)
+
syslog 0.1 Parse the content of a Linux Syslog log file
+
tln 0.4 Parse the content of a body file in the TLN format
+
userassist 0.8 Parses the NTUSER.DAT registry file
+
volatility 0.1 Parse the content of a Volatility output files (psscan2, sockscan2, ...)
+
win_link 0.6 Parse the content of a Windows shortcut file (or a link file)
+
wmiprov 0.1 Parse the content of the wmiprov log file
+
xpfirewall 0.3 Parse the content of a XP Firewall log
+
  
==Links==
+
== Tools ==
; [http://log2timeline.net log2timeline web site]
+
* [[SQLite]]
; [http://www.sans.org/reading_room/whitepapers/logging/mastering-super-timeline-log2timeline_33438 SANS GCFA Gold paper about the tool]
+
* [[SQLite Forensic Reporter]]
; [http://blogs.sans.org/computer-forensics/2010/03/19/digital-forensic-sifting-super-timeline-analysis-and-creation/ A quick run on how to create a super timeline]
+
 
; [http://blog.kiddaland.net/2009/08/log2timeline-artifact-timeline-analysis-part-i/ A blog post introducing the tool]
+
[[Category:File Formats]]
; [https://blogs.sans.org/computer-forensics/2009/08/13/artifact-timeline-creation-and-analysis-tool-release-log2timeline/ Part 1 of the SANS Forensic blog post about the tool]
+
; [https://blogs.sans.org/computer-forensics/2009/08/14/artifact-timeline-creation-and-analysis-part-2/ Part 2 of the SANS forensic blog post about the tool]
+

Revision as of 10:15, 26 June 2014

Information icon.png

Please help to improve this article by expanding it.
Further information might be found on the discussion page.

SQLite databases are used by many programs including several forensics tools, e.g. Autopsy 3. SQLite 3 is current and older SQLite packages cannot use sqlite3 databases so use sqlite3 tools.

SQLite3

SQLite version 3 uses a page-based storage where the pages are used for various types of data e.g. there are:

  • lock-byte pages
  • freelist pages
    • freelist trunk pages
    • freelist leaf pages
  • B-tree pages
    • table B-tree interior pages
    • table B-tree leaf pages
    • index B-tree interior pages
    • index B-tree leaf pages
  • payload overflow pages
  • pointer map pages

Write-Ahead Log (WAL)

The default method by which SQLite implements atomic commit and rollback is a rollback journal. In version 3.7.0 a "Write-Ahead Log" option was added.

Temporary sqlite files

Seen in e.g.

/Users/%USERNAME%/AppData/Local/Temp/etilqs_%RANDOM%

Where "etilqs" is "sqlite" in reverse

Use Cases

Web Browser Data

Mozilla Firefox and Google Chrome both use SQLite version 3 databases for user data such as history, downloaded files.

Mobile OS

Google Android and Apple iOS use SQLite3 databases for many system applications. Phone data including calls, messages, and credentials are all stored in SQLite3.

External Links

Tools