We?re creating a new cloud-forensic tool ? click here to sign up for the Beta and be the first to try it out.
Log2Timeline is a tool for generating forensic timelines from digital evidence, such as disk images or event logs.
Installing Log2Timeline from source-code
You can download the Python source code for Log2Timeline from:
https://github.com/log2timeline/plaso(Click Download zip or clone with Git)
Then install the required Python Libraries with:
- pip install -r requirements.txt
You can download Python from https://www.python.org/downloads
One of the required libraries (pylzma) can have issues running on Windows, so you may need to run the compiled binaries (below) instead.
Alternatively to running straight from the source-code, there are a number of precompiled binaries available:
Installing Log2Timeline on Ubuntu
Run:
sudo apt-get updatesudo apt-get install python-plaso plaso-tools
See more at https://github.com/log2timeline/plaso/wiki/Ubuntu-Packaged-Release
Installing Log2Timeline on Fedora
Run:
sudo dnf install dnf-plugins-coresudo dnf copr enable @gift/stablesudo apt-get install python-plaso plaso-tools
See more at https://github.com/log2timeline/plaso/wiki/Fedora-Core-Packaged-Release
Installing Log2Timeline on Mac OS XDownload the latest .dmg file from:https://github.com/log2timeline/plaso/releases
Then run install.sh in the terminal
Installing Log2Timeline on WindowsOn Windows, it?s easiest to use the precompiled .exe files available at:https://github.com/log2timeline/plaso/releases
About Log2Timeline
Formerly log2timline was a single perl script ? now it is a more stable Python library.At it?s core it consists of:
- plaso.py ? which turns evidence files into a standardised timeline format
- log2timeline.py ? which turns the generated timeline into a readable output format ? such as a CSV file
Generating a Log2Timeline Body FileThe following command will generate a timeline file (timeline.plaso) from a disk image (drive.e01):log2timeline timeline.plaso drive.e01Or the same command when run from python:python log2timeline.py timeline.plaso drive.e01
Outputting a Log2Timeline
The most common format for outputting a Log2Timeline is a CSV file, but there are many to choose from:
l2tcsv : CSV format used by legacy log2timeline, with 17 fixed fields. xlsx : Excel Spreadsheet (XLSX) output l2ttln : Extended TLN 7 field | delimited output.4n6time_sqlite : Saves the data in a SQLite database, used by the tool 4n6time. kml : Saves events with geography data into a KML format. dynamic : Dynamic selection of fields for a separated value output format. rawpy : ?raw? (or native) Python output. json : Saves the events into a JSON format. null : Output module that does not output anything. tln : TLN 5 field | delimited output. json_line : Saves the events into a JSON line format.
(Table taken from Log2Timeline)
Log2Timeline CheatsheetThere is a great cheatsheet available from SANS at https://digital-forensics.sans.org/media/log2timeline_cheatsheet.pdf
Is Log2Timeline Slow ?Parsing large evidence files is a computationally exhaustive process.Earlier Perl versions of Log2Timeline suffered from known memory leaks, but these have been fixed some time ago.
Beyond running on a high a specification machine as possible, consider splitting Log2Timeline tasks to run across a number of machines.If you?re leaving Log2Timeline running over a weekend ? strongly consider the possibility that it will crash.If you?re running multiple instances, atleast you won?t lose all the processing.
Log2Timeline and Timezones
By default Log2Timeline will output times in the UTC timezone. It?s probably easiest to stick to UTC for consistency, but if you need to set a specific timezone can you can so with the -z option, for example:
-z UTC
Log2Timeline Parsers
Parsers include:
amcache : Parser for Amcache Registry entries. android_app_usage : Parser for Android usage-history.xml files. asl_log : Parser for ASL log files. bash : Parser for Bash history files bencode : Parser for bencoded files. binary_cookies : Parser for Safari Binary Cookie files. bsm_log : Parser for BSM log files. chrome_cache : Parser for Chrome Cache files. chrome_preferences : Parser for Chrome Preferences files. cups_ipp : Parser for CUPS IPP files. custom_destinations : Parser for *.customDestinations-ms files. dockerjson : Parser for JSON Docker files. dpkg : Parser for Debian dpkg.log files. esedb : Parser for Extensible Storage Engine (ESE) database files. filestat : Parser for file system stat information. firefox_cache : Parser for Firefox Cache version 1 files (Firefox 31 or earlier). firefox_cache2 : Parser for Firefox Cache version 2 files (Firefox 32 or later). fsevents : Parser for fseventsd files. gdrive_synclog : Parser for Google Drive Sync log files. java_idx : Parser for Java WebStart Cache IDX files. lnk : Parser for Windows Shortcut (LNK) files. mac_appfirewall_log : Parser for appfirewall.log files. mac_keychain : Parser for MacOS Keychain files. mac_securityd : Parser for MacOS securityd log files. mactime : Parser for SleuthKit version 3 bodyfiles. macwifi : Parser for MacOS wifi.log files. mcafee_protection : Parser for McAfee AV Access Protection log files. mft : Parser for NTFS $MFT metadata files. msiecf : Parser for MSIE Cache Files (MSIECF) also known as index.dat. olecf : Parser for OLE Compound Files (OLECF). openxml : Parser for OpenXML (OXML) files. opera_global : Parser for Opera global_history.dat files. opera_typed_history : Parser for Opera typed_history.xml files. pe : Parser for Portable Executable (PE) files. plist : Parser for binary and text plist files. pls_recall : Parser for PL/SQL Recall files. popularity_contest : Parser for popularity contest log files. prefetch : Parser for Windows Prefetch files. recycle_bin : Parser for Windows $Recycle.Bin $I files. recycle_bin_info2 : Parser for Windows Recycler INFO2 files. rplog : Parser for Windows Restore Point (rp.log) files. sccm : Parser for SCCM logs files. selinux : Parser for SELinux audit.log files. skydrive_log : Parser for OneDrive (or SkyDrive) log files. skydrive_log_old : Parser for OneDrive (or SkyDrive) old log files. sophos_av : Parser for Anti-Virus log (SAV.txt) files. sqlite : Parser for SQLite database files. symantec_scanlog : Parser for Symantec Anti-Virus log files. syslog : Syslog Parser usnjrnl : Parser for NTFS USN change journal ($UsnJrnl). utmp : Parser for Linux/Unix UTMP files. utmpx : Parser for UTMPX files. winevt : Parser for Windows EventLog (EVT) files. winevtx : Parser for Windows XML EventLog (EVTX) files. winfirewall : Parser for Windows Firewall Log files. winiis : Parser for Microsoft IIS log files. winjob : Parser for Windows Scheduled Task job (or At-job) files. winreg : Parser for Windows NT Registry (REGF) files. xchatlog : Parser for XChat log files. xchatscrollback : Parser for XChat scrollback log files.zsh_extended_history : Parser for ZSH extended history files airport : Parser for Airport plist files. android_calls : Parser for Android calls SQLite database files. android_sms : Parser for Android text messages SQLite database files. android_webview : Parser for Android WebView databases android_webviewcache : Parser for Android WebViewCache databases appcompatcache : Parser for Application Compatibility Cache Registry data. apple_id : Parser for Apple account information plist files. appusage : Parser for MacOS application usage SQLite database files. bagmru : Parser for BagMRU Registry data. bencode_transmission : Parser for Transmission bencoded files. bencode_utorrent : Parser for uTorrent bencoded files. ccleaner : Parser for CCleaner Registry data. chrome_27_history : Parser for Google Chrome 27?63 history SQLite database files. chrome_8_history : Parser for Google Chrome 8?25 history SQLite database files. chrome_cookies : Parser for Chrome cookies SQLite database files. chrome_extension_activity : Parser for Chrome extension activity SQLite database files. cron : Parser for syslog cron messages. explorer_mountpoints2 : Parser for mount points Registry data. explorer_programscache : Parser for Explorer ProgramsCache Registry data. file_history : Parser for File History ESE database files. firefox_cookies : Parser for Firefox cookies SQLite database files. firefox_downloads : Parser for Firefox downloads SQLite database files. firefox_history : Parser for Firefox history SQLite database files. google_drive : Parser for Google Drive SQLite database files. imessage : Parser for the iMessage and SMS SQLite databases on OSX and iOS. ipod_device : Parser for iPod, iPad and iPhone plist files. kik_messenger : Parser for iOS Kik messenger SQLite database files. ls_quarantine : Parser for LS quarantine events SQLite database files. mac_document_versions : Parser for document revisions SQLite database files. mackeeper_cache : Parser for MacKeeper Cache SQLite database files. macosx_bluetooth : Parser for Bluetooth plist files. macosx_install_history : Parser for installation history plist files. macuser : Parser for MacOS user plist files. maxos_software_update : Parser for MacOS software update plist files. microsoft_office_mru : Parser for Microsoft Office MRU Registry data. microsoft_outlook_mru : Parser for Microsoft Outlook search MRU Registry data. mrulist_shell_item_list : Parser for Most Recently Used (MRU) Registry data. mrulist_string : Parser for Most Recently Used (MRU) Registry data. mrulistex_shell_item_list : Parser for Most Recently Used (MRU) Registry data. mrulistex_string : Parser for Most Recently Used (MRU) Registry data. mrulistex_string_and_shell_item : Parser for Most Recently Used (MRU) Registry data.mrulistex_string_and_shell_item_list : Parser for Most Recently Used (MRU) Registry data. msie_webcache : Parser for MSIE WebCache ESE database files. msie_zone : Parser for Internet Explorer zone settings Registry data. mstsc_rdp : Parser for Terminal Server Client Connection Registry data. mstsc_rdp_mru : Parser for Terminal Server Client MRU Registry data. network_drives : Parser for Network Registry data. olecf_automatic_destinations : Parser for *.automaticDestinations-ms OLECF files. olecf_default : Parser for a generic OLECF item. olecf_document_summary : Parser for a DocumentSummaryInformation OLECF stream. olecf_summary : Parser for a SummaryInformation OLECF stream. plist_default : Parser for plist files. safari_history : Parser for Safari history plist files. skype : Parser for Skype SQLite database files. spotlight : Parser for Spotlight plist files. spotlight_volume : Parser for Spotlight volume configuration plist files. srum : Parser for System Resource Usage Monitor (SRUM) ESE database files. ssh : Parser for SSH syslog entries. time_machine : Parser for TimeMachine plist files. twitter_ios : Parser for Twitter on iOS 8+ database userassist : Parser for User Assist Registry data. windows_boot_execute : Parser for Boot Execution Registry data. windows_boot_verify : Parser for Boot Verification Registry data. windows_run : Parser for run and run once Registry data. windows_sam_users : Parser for SAM Users and Names Registry keys. windows_services : Parser for services and drivers Registry data. windows_shutdown : Parser for ShutdownTime Registry value. windows_task_cache : Parser for Task Scheduler cache Registry data. windows_timezone : Parser for Windows timezone settings. windows_typed_urls : Parser for Explorer typed URLs Registry data. windows_usb_devices : Parser for USB device Registry entries. windows_usbstor_devices : Parser for USB Plug And Play Manager USBStor Registry Key. windows_version : Parser for Windows version Registry data. winlogon : Parser for winlogon Registry data. winrar_mru : Parser for WinRAR History Registry data. winreg_default : Parser for Registry data. zeitgeist : Parser for Zeitgeist activity SQLite database files.
(Taken from log2timeline.py)
Supported file extensions include:
asl, bsm, bz2, conf, csv, DAT, db, db-wal, dd, doc, docx, E01, E02, edb, Evt, evtx, exe, gz, hve, idx, job, jpg, keychain, lnk, Log, pcap, pf, plaso, plist, qcow2, raw, rules, sql, sqlite, sys, tar, tgz, txt, tzif, vhd, vmdk, xml, zip
We?re creating a new cloud-forensic tool ? click here to sign up for the Beta and be the first to try it out.
