Log2timeline: free computer event and artifact timeline analysis

Discussion in 'other software & services' started by MrBrian, Aug 29, 2011.

Thread Status:
Not open for further replies.
  1. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    Author's description:
    My description:
    Log2timeline lets you view various computer events and artifacts that have an associated time. Amongst the 43 types of events/artifacts supported in v0.60 are browser history, Windows Event log files, NTFS change log, NTFS Master File Table, and registry hives. There are 11 output formats. The default output format is .CSV, which you can open in a spreadsheet program for further analysis.

    Some useful scenarios:
    1. How did malware get on a system?
    2. What areas may have been affected by malware on a system?
    3. Why did problems start happening on a system?
    4. What was someone doing on a system?

    Understands events and artifacts from these operating systems:
    Windows
    Unix-based systems

    Runs on these operating systems:
    Windows (with ActiveState Perl installed); I got v0.60 to run on Windows 7 x64 with ActiveState Perl x64; see included file Install.txt in Docs folder for Windows installation instructions
    Unix-based systems
    Various live cds such as SIFT Workstation, DEFT, and CAINE

    Useful documents by the program's author (use search engine to find):
    "Log2Timeline - Helping You to Create Super Timelines Since 2009" - describes v0.60, including all of its input methods, and also use of program l2t_process
    "Mastering the Super Timeline - log2timeline style"
    "Mastering the Super Timeline with log2timeline"

    Example command-line usage (run with admin privileges) on a live system (adapted from http://thedigitalstandard.blogspot.com/2011/07/log2timeline-and-super-timelilnes.html):
    Perl c:\perl64\bin\log2timeline.pl -r c:\ -w c:\temp\output.csv

    How to get log2timeline to use locked files or otherwise unavailable files of interest on Windows:
    Use NTFS File Copy Utility or HBGary's FGet to make a copy of the desired file before running log2timeline. NTFS Directory Enumerator is useful for seeing all of the files available in a directory, including special files such as \$MFT.

    Problems encountered:
    I got errors when trying to process some (all?) Windows Event .evtx files. I didn't spend much time troubleshooting the issue.

    Example (two snippets) of .CSV output (sorted by date/time with Excel first; I replaced real account name with 'brian'; there are 16 columns when viewed in a spreadsheet):

    7/23/2011,21:40:19,CST6CDT,MACB,LOG,NTFS Change Log,data_overwritten/file_added/file_created/file_renamed/file_closed,-,-,23153442d1839e4eb05d2a58d91e220e.tmp,23153442d1839e4eb05d2a58d91e220e.tmp,2,c:\temp2/usnj.csv,0,-,Log2t::input::jp_ntfs_change,-
    7/23/2011,21:40:19,CST6CDT,MACB,LOG,NTFS Change Log,attrib_context_indexed_changed/attrib_changed/file_closed,-,-,23153442d1839e4eb05d2a58d91e220e.tmp,23153442d1839e4eb05d2a58d91e220e.tmp,2,c:\temp2/usnj.csv,0,-,Log2t::input::jp_ntfs_change,-
    7/23/2011,21:40:19,CST6CDT,MACB,LOG,NTFS Change Log,file_created/file_closed,-,-,wow64_microsoft-windows-dns-client_31bf3856ad364e35_6.1.7601.17570_none_4a184beecd8df1f1,wow64_microsoft-windows-dns-client_31bf3856ad364e35_6.1.7601.17570_none_4a184beecd8df1f1,2,c:\temp2/usnj.csv,0,-,Log2t::input::jp_ntfs_change,-
    7/23/2011,21:40:19,CST6CDT,MACB,LOG,NTFS Change Log,data_overwritten/file_added/file_created/file_renamed/attrib_changed/file_closed,-,-,dnscacheugc.exe,dnscacheugc.exe,2,c:\temp2/usnj.csv,0,-,Log2t::input::jp_ntfs_change,-

    ...

    7/23/2011,23:04:48,CST6CDT,MACB,REG,UserAssist key,Time of Launch,brian,-,[System32] %windir%/system32/cleanmgr.exe,[System32] %windir%/system32/cleanmgr.exe [Count: 16] nr. of times app had focus: 20 and duration of focus: 274185ms,2,c:\temp2/ntuser.dat,0,-,Log2t::input::ntuser,-
    7/23/2011,23:04:48,CST6CDT,MACB,REG,UserAssist key,Time of Launch,brian,-,[User Pinned] %APPDATA%/Microsoft/Internet Explorer/Quick Launch/User Pinned/StartMenu/Disk Cleanup.lnk,[User Pinned] %APPDATA%/Microsoft/Internet Explorer/Quick Launch/User Pinned/StartMenu/Disk Cleanup.lnk [Count: 3] nr. of times app had focus: 0 and duration of focus: 3ms,2,c:\temp2/ntuser.dat,0,-,Log2t::input::ntuser,-
    7/23/2011,23:05:05,CST6CDT,.A..,FILE,NTFS $MFT,$SI [.A..] time,-,-,/Windows/Logs/CBS/CBS.log,/Windows/Logs/CBS/CBS.log,2,/Windows/Logs/CBS/CBS.log,9085, ,Log2t::input::mft,-
    7/23/2011,23:05:05,CST6CDT,MAC.,FILE,NTFS $MFT,$FN [MAC.] time,-,-,/Windows/Logs/CBS/CBS.log,/Windows/Logs/CBS/CBS.log,2,/Windows/Logs/CBS/CBS.log,9085, ,Log2t::input::mft,-
    7/23/2011,23:05:15,CST6CDT,M...,FILE,NTFS $MFT,$SI [M...] time,-,-,/Windows/Prefetch/TRUSTEDINSTALLER.EXE-3CC531E5.pf,/Windows/Prefetch/TRUSTEDINSTALLER.EXE-3CC531E5.pf,2,/Windows/Prefetch/TRUSTEDINSTALLER.EXE-3CC531E5.pf,21495, ,Log2t::input::mft,-
    7/23/2011,23:05:31,CST6CDT,MAC.,FILE,NTFS $MFT,$SI [MAC.] time,-,-,/Windows/Logs/CBS,/Windows/Logs/CBS,2,/Windows/Logs/CBS,1961, ,Log2t::input::mft,-
    7/23/2011,23:05:31,CST6CDT,MACB,FILE,NTFS $MFT,$FN [MACB] time,-,-,/Windows/Logs/CBS/CbsPersist_20110724040505.cab,/Windows/Logs/CBS/CbsPersist_20110724040505.cab,2,/Windows/Logs/CBS/CbsPersist_20110724040505.cab,9092, ,Log2t::input::mft,-
    7/23/2011,23:05:31,CST6CDT,.AC.,FILE,NTFS $MFT,$SI [.AC.] time,-,-,/Windows/Logs/CBS/CbsPersist_20110724040505.cab,/Windows/Logs/CBS/CbsPersist_20110724040505.cab,2,/Windows/Logs/CBS/CbsPersist_20110724040505.cab,9092, ,Log2t::input::mft,-
    7/23/2011,23:05:35,CST6CDT,MACB,REG,SOFTWARE key,Last Written,-,-,CMI-CreateHive{199DAFC2-6F16-4946-BF90-5A3FC3A60902}/Microsoft/Windows/CurrentVersion/Component Based Servicing/ApplicabilityEvaluationCache/Microsoft-Windows-CodecPack-Basic-Package~31bf3856ad364e35~amd64~~6.1.7601.17514 ,Key name: HKLM/SoftwareCMI-CreateHive{199DAFC2-6F16-4946-BF90-5A3FC3A60902}/Microsoft/Windows/CurrentVersion/Component Based Servicing/ApplicabilityEvaluationCache/Microsoft-Windows-CodecPack-Basic-Package~31bf3856ad364e35~amd64~~6.1.7601.17514 ,2,c:\temp2/software,0,-,Log2t::input::software,-
    7/23/2011,23:05:35,CST6CDT,MACB,REG,SOFTWARE key,Last Written,-,-,CMI-CreateHive{199DAFC2-6F16-4946-BF90-5A3FC3A60902}/Microsoft/Windows/CurrentVersion/Component Based Servicing/ApplicabilityEvaluationCache/Microsoft-Windows-Client-LanguagePack-Package~31bf3856ad364e35~amd64~en-US~6.1.7601.17514 ,Key name: HKLM/SoftwareCMI-CreateHive{199DAFC2-6F16-4946-BF90-5A3FC3A60902}/Microsoft/Windows/CurrentVersion/Component Based Servicing/ApplicabilityEvaluationCache/Microsoft-Windows-Client-LanguagePack-Package~31bf3856ad364e35~amd64~en-US~6.1.7601.17514 ,2,c:\temp2/software,0,-,Log2t::input::software,-

    Other free programs somewhat similar to log2timeline:
    RegRipper
    RegExtract
    These two programs display subsets of registry hives.
     
  2. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    Another good document on log2timeline is "Timeline Creation & Analysis" by Mark Hallman. It also covers Windows' rules for time attribute modification when file/folder operations are performed.

    Useful info: Reviewing Timelines with Excel.
     
  3. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
  4. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
Loading...
Thread Status:
Not open for further replies.