This humble site will soon be depracated in favor of the Google code site, here. For updated information go there... |
This humble web site is dedicated to the tool log2timeline, a framework for automatic creation of a super timeline. The main purpose is to provide a single tool to parse various log files and artifacts found on suspect systems (and supporting systems, such as network equipment) and produce a timeline that can be analysed by forensic investigators/analysts.
The tool is written in Perl for Linux but has been tested using Mac OS X (10.5.7+ and 10.6.+). Parts of it should work natively in Windows as well (with ActiveState Perl installed) while other parts need to be slightly to considerably modified to work properly (haven't tested any functionality in Windows yet, if anyone is interested in porting the application to Windows then please contact me).
I started this project after a discussion with Rob Lee about possible topics I could choose for my SANS Gold paper. Rob had this great idea of wanting a tool that could take timeline analysis to a new level. That is to create a single tool that could parse various artifacts found on a suspect drive and include them in the timeline, a some sort of super timelining. The Gold paper, titled "Mastering the Super Timeline With log2timeline" can be downloaded from here.
And if the gold paper isn't enough, or too much, it is always possible to refer to the man page for a description of the tool or to the blog entries that can be found here below for examples of usage and a better description. And as always, better documentation is on the way... (one source being my blog).
If you like the tool, please consider donations to help keep the project alive.
In the case you might stumble on a bug (yes, it has happened) or possibly have a feature request, please use the bug tracking system, available from bugs.log2timeline.net.
19/09/12: New release, version 0.65. Mostly bug fixes, albeit two new input modules (utmp and selinux) contributed by Francesco Picasso. See the changelog for full details.
12/06/12: New release, version 0.64. Mostly bug fixes, and one input module (LS_QuarantineEvents), and the introduction to a unit test suite, see changelog for full details.
09/04/12: New release, version 0.63. Mostly bug fixes, and one new output module (serialize), which is a first attempt at a serialized output module, see changelog for full details.
24/11/11: New release, version 0.62. Few bug fixes, three new input modules and few new features, see the changelog for full details.
26/09/11: New release, version 0.61 released. Few bug fixes, changes to sqlite output and for the first time only user contributed new input modules, see the changelog for full details.
06/06/11: New release, version 0.60 released. Engine redesigned, lots of changes, too many to count, see the changelog for some details about the new release, there will also be blog posts and other stuff talking about this release
25/05/11: New bug tracking system set up for log2timeline, available from bugs.log2timeline.net
04/05/11: log2timeline nominated for the 2011 Forensic4Cast awards for the "best computer forensic software", see announcement here
05/04/11: A new version has been released, version 0.52, few bug fixes, new modules and a new tool called l2t_process, see the changelog for a better description.
14/12/10: A new version has been released, version 0.51, with plenty of changes, new modules, bug fixes and new stuff, see the changelog for a better description. This release contains new contributed modules from Willi Ballenthin, Hal Pomeranz and Tom Webb.
25/08/10: The gold paper has finally been published, Mastering the Super Timeline With log2timeline can be downloaded from here
23/08/10: The server is back up after a very unplanned downtime that lasted for almost three days, caused by ... let's say technical difficulties...
30/06/10: A new version has been released, 0.50. Several structural changes, new timestamp object, changed output and several internal changes made to speed up processing. Additionally this release marks a hopefully new beginning of the tool, with a code contribution coming from both Julien Touche that wrote an input module to parse volatility psscan/psscan2 outptut and Ben Schmitt that is helping me to write a threaded version of timescanner. Read the full changelog for a complete list of the changes made, as well as the blog post about the release.
06/04/10: A new version has been released, 0.43. Few bug fixes along with a new input module for Firefox 2 history files. Full changelog can be read here.
05/03/10: A new version has been released, 0.42, several bug fixes, enhancements and two new input modules; for McaFee AV logs and PDF metadata. See the full changelog here.
15/01/10: A new version has been released, 0.41, several bug fixes, enhancements and new input modules, such as a Chrome browser history, Opera browser history, Firefox bookmarks, Windows EVTX and a new output module, CEF (Commen Event Format). Other input modules have been improved, userassist now supports Windows 7 or Vista and Firefox3 reads bookmark and download information from the database. See the changelog.
25/11/09: Finally a new version released. This time with lots and lots of changes, so the new version is a point upgrade, version 0.40. Some major changes, such as upgrade to the GUI front-end, to make it feature compatible with the CLI as well as changes to make timescanner more stable and able to parse more files. Also normalizing all times to UTC, making it a requirement to use -z TIMEZONE to the input of log2timeline. For full list of changes, see the changelog.
15/09/09: Version 0.33 released. Mostly bug fixes and other minor changes, see the changelog for full list. The update is recommended, since there were few bugs in the older version.
10/09/09: Version 0.32 released. New input modules for XP firewall log, Flash cookies and setup API log files. Also added a new parameter to log2timeline, -c to check if there is an update available. Full changelog can be read here.
07/09/09: Version 0.31b released. New input module added for parsing EXIF data. A new tool added, called timescanner that recursively goes through directories, searching for files that the tool is able to parse, other changes made, full list can be read in the changelog. Also modified the installation of the tool, it's now done through a Makefile (better integration as well as to include libraries in correct places)
02/09/09: Version 0.30b released. Considerable changes made, please see the changelog for full details. Added a basic GUI, created shared libraries, seperated shared functions from main script into libraries, created new libraries, added input and output modules.
10/08/09: Version 0.22b released. Added four new input modules, some modifications made to the main script as well as adding one output module. See the changelog for full details.
07/08/09: Version 0.21b released. Added IIS W3C input module as well as fixing few bugs in the win_link input module. Also added a new output format, TLN (timeline format as defined by H. Carvey). See CHANGELOG for full list of changes
04/08/09: Second beta version released on the site, version 0.20b. Added Firefox3 support plus modified the structure of the file, please see changelog for all modifications and updates.
31/07/09: First beta version released on the site, version 0.12b
A GUI has been written in Perl-GTK2 for creating the timeline. Since the GUI is written in GtK2 it will not work on every OS. It has been tested to work on both Linux (tested on Ubuntu) as well as on Mac OS X (tested on Mac OS X 10.5 and 10.6 with X11 installed and Macports to install dependencies).
please note, I'm not a GUI developer, so if anyone is interested in assisting with this project, you are more than welcome to fix the GUI
Starting from version 0.31b log2timeline includes some output modules that can be used with tools that visually represent the timeline. Although the output module should provide an accurate XML document that can be used by these tools they haven't been tested fully. This site will contain some screenshots and documentation explaining how such visual representation can be made, yet until then...
The latest version also includes a new front-end, called timescanner. Timescanner recursively goes through a directory and tests each file found to see if the tool can parse and extract timestamp data from it. By using that tool one can go through an entire image and extract all available timestamps from artifacts that log2timeline is able to parse, thus creating a super timeline automatically.
A quick note to Mac OS X users, there are problems running the openxml input module when using the standard Perl. One way to get it to work is to use the MacPorts version of Perl and install the "p5-archive-zip" and "p5-xml-libxml" packages (port install ...) (please see the INSTALLATION document provided with the tool to get a better description on howto install the tool on different platforms)
For examples of usage, please see blog posts about the tool:
Another example usage is the presentation that I was supposed to give at the SANS EU Forensic Summit in April of 2010. The summit got cancelled because of our lovely Icelandic Volcano here in Eyjafjallajökull, however the presentation is available here at the site: Mastering the Super Timeline - log2timeline Style
log2timeline now supports exporting data in a XML document that can be read by timeline visualization tools such as CFTL (CyberForensics TimeLab) or SIMILE timeline widgets.
For an example of such a visualization you can see an example case in a SIMILE widget.
Another visual example shows the timeline from the same case, except that only browsing history is showed for the user "joe".
The man page can be reached from here and the changelog here.
The current version of the tool is version 0.64, which can be downloaded from here:
log2timeline_0.64 (md5) (sha1)
Beta version (nightly builds)
The code repository has been moved to Google code and can be checked out using git. To get to the latest code, please see the tools code repository.
In short you can issue: git clone https://code.google.com/p/log2timeline
A mailing list has been set-up for developers of the tool and others that want to keep up with the development of the tool and subscribe to announcements. For those that are interested in signing up, here is the log2timeline-dev mailing-list site.
There is no guarantee that this version works at all, since this is the development version of the tool, but it is the most up to date distribution, containing the latest features and bug fixes, so it might be a good place to check out before submitting a bug report.
Other scripts that I've written can be downloaded from here
If you like this tool, seriously consider donating money to aid furhter development. Donations are really appreciated since this tool is developed in my own spare time, which is often quite limited.
Current Input Modules
log2timeline currently supports parsing the following formats:
- Apache2 Access logs
- Apache2 Error logs
- Google Chrome history
- Encase dirlisting
- Windows Event Log files (EVT)
- Windows Event Log files (EVTX)
- EXIF. Extracts exif information or metadata from various media files
- Firefox bookmarks
- Firefox 2 history
- Firefox 3 history
- FTK Imager Dirlisting CSV file
- Generic Linux log file
- Internet Explorer history files, parsing index.dat files
- Windows IIS W3C log files
- ISA server text export. Copy query results to clipboard and into a text file
- Mactime body files (to provide an easy method to modify from mactime format to some other)
- McAfee AntiVirus Log files
- MS-SQL Error log
- Opera Global and Direct browser history
- OpenXML metadata, for metadata extraction from Office 2007 documents
- PCAP files, parsing network dump files created by tool such as Wireshark and tcpdump (PCAP)
- PDF. Parse the basic PDF metadata to capture creation dates, etc. from PDF documents.
- Windows Prefetch directory
- Windows Recycle Bin (INFO2 or I$)
- Windows Restore Points
- Safari Browser history files
- Windows XP SetupAPI.log file
- Adobe Local Shared Object files (SOL/LSO), aka Flash Cookies
- Squid Access Logs (httpd_emulate off)
- TLN (timeline) body files
- UserAssist key of the Windows registry - well really NTUSER.DAT parser since there are other keys parsed as well
- Volatility. The output file from the psscan and psscan2 modules from volatility
- Windows Shortcut files (LNK)
- Windows WMIProv log file
- Windows XP Firewall Log files (W3C format)
Current Output Modules
log2timeline currently supports exporting timeline into the following formats
- BeeDocs. A visualization tool designed for the Mac OS X.
- CEF. Common Event Format as described by ArcSight
- CFTL. A XML file that can be read by CyberForensics TimeLab (for timeline visualization)
- CSV. Dump the timeline in a comma separated value file (CSV) to easily import it into spreadsheet or use with scripts
- Mactime. Both older and newer version of the format supported for use by TSK's mactime
- SIMILE. An XML file that can be read by a SIMILE timeline widget for timeline visualization
- SQLite. Dump the timeline into a SQLite database, that can be read by possible future visualization tools
- TLN. Tab Delimited File (same as the CSV, but with tabs instead of commas to separate)
- TLN. Timeline format that is used by some of H. Carvey tools, expressed as an ASCII output
- TLNX. Timeline format that is used by some of H. Carvey tools, expressed as a XML document
log2timeline requires several Perl libraries to be installed on the system. An installation document is provided with the tool in the docs/ folder (INSTALLATION).
It can also be found here.
I've also set up a repository for Ubuntu distributions (9.10, 10.04 and 10.10), so you can add the following line to your /etc/apt/sources.list file:
For natty (Ubuntu 11.04) the line is:
deb http://log2timeline.net/pub/ natty main
For maverick (Ubuntu 10.10) the line is:
deb http://log2timeline.net/pub/ maverick main
And for lucid (Ubuntu 10.04) the line is:
deb http://log2timeline.net/pub/ lucid main
For karmic (Ubuntu 9.10) the line is:
deb http://log2timeline.net/pub/ karmic main
To get my GPG trusted you need to install my key, which can be downloaded from here (MD5)(SHA256)
Download the GPG file and issue:
apt-key add gpg.asc
And then all you should need to do is:
apt-get install log2timeline-perl
(if your architecture is missing from the repository, please notify me so that I can update it)
log2timeline was also recently added to the CERT.org forensics tool repository. So to install the tool using yum in Fedora simply add the repository and issue the following command:
yum install log2timeline
All dependencies are solved by yum.
The tool has also been added to the OpenBSD ports as security/log2timeline, which have been ported to other ports as well, including Mac OS X. So it should be enough to issue the command:
port install log2timeline
to get the tool to install on Mac OS X (given that you've got MacPorts installed) or on a OpenBSD system.
There is also a nice post on Andrew Hay's blog that describes a method to install log2timeline on the SIFT forensic workstation here. It seems to be missing the "yum install perl-DBD-SQLite" package though.
And a blog post from Andrew Hoog that explains how to install version 0.41 on a Ubuntu 9.10 (using the source file, CPAN and apt-get instead of my repository). And an updated version explaining the installation process through the repositories here.
The very dynamic and flexible roadmap can be seen here where a rough picture of where the tool is heading can be found.
Anyone who is interested in this project can pitch in and either follow this roadmap or create input or output modules that are not listed there. It would be appreciated if all written modules would be sent to the author of log2timeline for inclusion with the tool. The directory "dev" that is included with the tool contains the necessary files and information on how to start creating new input or output modules.
License and Author
This tool is published under GPL v. 3 and written by Kristinn Gudjonsson <kristinn ( a t ) log2timeline ( d o t ) net>. Copyright 2009-2010.