Log2timeline: free computer event and artifact timeline analysis

Author's description:

My description:
Log2timeline lets you view various computer events and artifacts that have an associated time. Amongst the 43 types of events/artifacts supported in v0.60 are browser history, Windows Event log files, NTFS change log, NTFS Master File Table, and registry hives. There are 11 output formats. The default output format is .CSV, which you can open in a spreadsheet program for further analysis.

Some useful scenarios:
1. How did malware get on a system?
2. What areas may have been affected by malware on a system?
3. Why did problems start happening on a system?
4. What was someone doing on a system?

Understands events and artifacts from these operating systems:
Windows
Unix-based systems

Runs on these operating systems:
Windows (with ActiveState Perl installed); I got v0.60 to run on Windows 7 x64 with ActiveState Perl x64; see included file Install.txt in Docs folder for Windows installation instructions
Unix-based systems
Various live cds such as SIFT Workstation, DEFT, and CAINE

Useful documents by the program's author (use search engine to find):
"Log2Timeline - Helping You to Create Super Timelines Since 2009" - describes v0.60, including all of its input methods, and also use of program l2t_process
"Mastering the Super Timeline - log2timeline style"
"Mastering the Super Timeline with log2timeline"

Example command-line usage (run with admin privileges) on a live system (adapted from http://thedigitalstandard.blogspot.com/2011/07/log2timeline-and-super-timelilnes.html):
Perl c:\perl64\bin\log2timeline.pl -r c:\ -w c:\temp\output.csv

How to get log2timeline to use locked files or otherwise unavailable files of interest on Windows:
Use NTFS File Copy Utility or HBGary's FGet to make a copy of the desired file before running log2timeline. NTFS Directory Enumerator is useful for seeing all of the files available in a directory, including special files such as \$MFT.

Problems encountered:
I got errors when trying to process some (all?) Windows Event .evtx files. I didn't spend much time troubleshooting the issue.

Example (two snippets) of .CSV output (sorted by date/time with Excel first; I replaced real account name with 'brian'; there are 16 columns when viewed in a spreadsheet):

7/23/2011,21:40:19,CST6CDT,MACB,LOG,NTFS Change Log,data_overwritten/file_added/file_created/file_renamed/file_closed,-,-,23153442d1839e4eb05d2a58d91e220e.tmp,23153442d1839e4eb05d2a58d91e220e.tmp,2,c:\temp2/usnj.csv,0,-,Log2t::input::jp_ntfs_change,-
7/23/2011,21:40:19,CST6CDT,MACB,LOG,NTFS Change Log,attrib_context_indexed_changed/attrib_changed/file_closed,-,-,23153442d1839e4eb05d2a58d91e220e.tmp,23153442d1839e4eb05d2a58d91e220e.tmp,2,c:\temp2/usnj.csv,0,-,Log2t::input::jp_ntfs_change,-
7/23/2011,21:40:19,CST6CDT,MACB,LOG,NTFS Change Log,file_created/file_closed,-,-,wow64_microsoft-windows-dns-client_31bf3856ad364e35_6.1.7601.17570_none_4a184beecd8df1f1,wow64_microsoft-windows-dns-client_31bf3856ad364e35_6.1.7601.17570_none_4a184beecd8df1f1,2,c:\temp2/usnj.csv,0,-,Log2t::input::jp_ntfs_change,-
7/23/2011,21:40:19,CST6CDT,MACB,LOG,NTFS Change Log,data_overwritten/file_added/file_created/file_renamed/attrib_changed/file_closed,-,-,dnscacheugc.exe,dnscacheugc.exe,2,c:\temp2/usnj.csv,0,-,Log2t::input::jp_ntfs_change,-

...

7/23/2011,23:04:48,CST6CDT,MACB,REG,UserAssist key,Time of Launch,brian,-,[System32] %windir%/system32/cleanmgr.exe,[System32] %windir%/system32/cleanmgr.exe [Count: 16] nr. of times app had focus: 20 and duration of focus: 274185ms,2,c:\temp2/ntuser.dat,0,-,Log2t::input::ntuser,-
7/23/2011,23:04:48,CST6CDT,MACB,REG,UserAssist key,Time of Launch,brian,-,[User Pinned] %APPDATA%/Microsoft/Internet Explorer/Quick Launch/User Pinned/StartMenu/Disk Cleanup.lnk,[User Pinned] %APPDATA%/Microsoft/Internet Explorer/Quick Launch/User Pinned/StartMenu/Disk Cleanup.lnk [Count: 3] nr. of times app had focus: 0 and duration of focus: 3ms,2,c:\temp2/ntuser.dat,0,-,Log2t::input::ntuser,-
7/23/2011,23:05:05,CST6CDT,.A..,FILE,NTFS $MFT,$SI [.A..] time,-,-,/Windows/Logs/CBS/CBS.log,/Windows/Logs/CBS/CBS.log,2,/Windows/Logs/CBS/CBS.log,9085, ,Log2t::input::mft,-
7/23/2011,23:05:05,CST6CDT,MAC.,FILE,NTFS $MFT,$FN [MAC.] time,-,-,/Windows/Logs/CBS/CBS.log,/Windows/Logs/CBS/CBS.log,2,/Windows/Logs/CBS/CBS.log,9085, ,Log2t::input::mft,-
7/23/2011,23:05:15,CST6CDT,M...,FILE,NTFS $MFT,$SI [M...] time,-,-,/Windows/Prefetch/TRUSTEDINSTALLER.EXE-3CC531E5.pf,/Windows/Prefetch/TRUSTEDINSTALLER.EXE-3CC531E5.pf,2,/Windows/Prefetch/TRUSTEDINSTALLER.EXE-3CC531E5.pf,21495, ,Log2t::input::mft,-
7/23/2011,23:05:31,CST6CDT,MAC.,FILE,NTFS $MFT,$SI [MAC.] time,-,-,/Windows/Logs/CBS,/Windows/Logs/CBS,2,/Windows/Logs/CBS,1961, ,Log2t::input::mft,-
7/23/2011,23:05:31,CST6CDT,MACB,FILE,NTFS $MFT,$FN [MACB] time,-,-,/Windows/Logs/CBS/CbsPersist_20110724040505.cab,/Windows/Logs/CBS/CbsPersist_20110724040505.cab,2,/Windows/Logs/CBS/CbsPersist_20110724040505.cab,9092, ,Log2t::input::mft,-
7/23/2011,23:05:31,CST6CDT,.AC.,FILE,NTFS $MFT,$SI [.AC.] time,-,-,/Windows/Logs/CBS/CbsPersist_20110724040505.cab,/Windows/Logs/CBS/CbsPersist_20110724040505.cab,2,/Windows/Logs/CBS/CbsPersist_20110724040505.cab,9092, ,Log2t::input::mft,-
7/23/2011,23:05:35,CST6CDT,MACB,REG,SOFTWARE key,Last Written,-,-,CMI-CreateHive{199DAFC2-6F16-4946-BF90-5A3FC3A60902}/Microsoft/Windows/CurrentVersion/Component Based Servicing/ApplicabilityEvaluationCache/Microsoft-Windows-CodecPack-Basic-Package~31bf3856ad364e35~amd64~~6.1.7601.17514 ,Key name: HKLM/SoftwareCMI-CreateHive{199DAFC2-6F16-4946-BF90-5A3FC3A60902}/Microsoft/Windows/CurrentVersion/Component Based Servicing/ApplicabilityEvaluationCache/Microsoft-Windows-CodecPack-Basic-Package~31bf3856ad364e35~amd64~~6.1.7601.17514 ,2,c:\temp2/software,0,-,Log2t::input::software,-
7/23/2011,23:05:35,CST6CDT,MACB,REG,SOFTWARE key,Last Written,-,-,CMI-CreateHive{199DAFC2-6F16-4946-BF90-5A3FC3A60902}/Microsoft/Windows/CurrentVersion/Component Based Servicing/ApplicabilityEvaluationCache/Microsoft-Windows-Client-LanguagePack-Package~31bf3856ad364e35~amd64~en-US~6.1.7601.17514 ,Key name: HKLM/SoftwareCMI-CreateHive{199DAFC2-6F16-4946-BF90-5A3FC3A60902}/Microsoft/Windows/CurrentVersion/Component Based Servicing/ApplicabilityEvaluationCache/Microsoft-Windows-Client-LanguagePack-Package~31bf3856ad364e35~amd64~en-US~6.1.7601.17514 ,2,c:\temp2/software,0,-,Log2t::input::software,-

Other free programs somewhat similar to log2timeline:
RegRipper
RegExtract
These two programs display subsets of registry hives.

 

Another good document on log2timeline is "Timeline Creation & Analysis" by Mark Hallman. It also covers Windows' rules for time attribute modification when file/folder operations are performed.

Useful info: Reviewing Timelines with Excel.

 

Timeline Analysis Bibliography mentions relevant papers and software. I tried Aftertime, but it seems to accept as input only disk images, so I didn't test it further yet.

 

OSForensics can report on recent activity, including a timeline filter.