log2timeline

News
Information
Usage
Visualization
Man Page
Download Area
Input Modules
Output Modules
Installation
Roadmap
Author
Donations

This humble web site is dedicated to the tool log2timeline, a framework for artifact timeline creation and analysis. The main purpose is to provide a single tool to parse various log files and artifacts found on suspect systems (and supporting systems, such as network equipment) and produce a body file that can be used to create a timeline, using tools such as mactime from TSK, for forensic investigators.

The tool is written in Perl for Linux but has been tested using Mac OS X (10.5.7+ and 10.6.+). Parts of it should work natively in Windows as well (with ActiveState Perl installed) while other parts need to be slightly to considerably modified to work properly (haven't tested any functionality in Windows yet, if anyone is interested in porting the application to Windows then please contact me).

Perhaps one day this site will include some graphic or other eye candy, and even a better description of the tool, but until then... Please refer to the man page for a description of the tool or to the blog entries that can be found here below for examples of usage and a better description.

I started this project after a discussion with Rob Lee about possible topics I could choose for my SANS Gold paper. Rob had this great idea of wanting a tool that could take timeline analysis to a new level. That is to create a single tool that could parse various artifacts found on a suspect drive and include them in the timeline, a some sort of super timelining. The Gold paper hasn't been completed yet, however as soon as it will be published I will make it available on this site.

News

15/01/10: A new version has been released, 0.41, several bug fixes, enchancements and new input modules, such as a Chrome browser history, Opera browser history, Firefox bookmarks, Windows EVTX and a new output module, CEF (Commen Event Format). Other input modules have been improved, userassist now supports Windows 7 or Vista and Firefox3 reads bookmark and download information from the database. See the changelog.
25/11/09: Finally a new version released. This time with lots and lots of changes, so the new version is a point upgrade, version 0.40. Some major changes, such as upgrade to the GUI front-end, to make it feature compatible with the CLI as well as changes to make timescanner more stable and able to parse more files. Also normalizing all times to UTC, making it a requirement to use -z TIMEZONE to the input of log2timeline. For full list of changes, see the changelog.
15/09/09: Version 0.33 released. Mostly bug fixes and other minor changes, see the changelog for full list. The update is recommended, since there were few bugs in the older version.
10/09/09: Version 0.32 released. New input modules for XP firewall log, Flash cookies and setup API log files. Also added a new parameter to log2timeline, -c to check if there is an update available. Full changelog can be read here.
07/09/09: Version 0.31b released. New input module added for parsing EXIF data. A new tool added, called timescanner that recursively goes through directories, searching for files that the tool is able to parse, other changes made, full list can be read in the changelog. Also modified the installation of the tool, it's now done through a Makefile (better integration as well as to include libraries in correct places)
02/09/09: Version 0.30b released. Considerable changes made, please see the changelog for full details. Added a basic GUI, created shared libraries, seperated shared functions from main script into libraries, created new libraries, added input and output modules.
10/08/09: Version 0.22b released. Added four new input modules, some modifications made to the main script as well as adding one output module. See the changelog for full details.
07/08/09: Version 0.21b released. Added IIS W3C input module as well as fixing few bugs in the win_link input module. Also added a new output format, TLN (timeline format as defined by H. Carvey). See CHANGELOG for full list of changes
04/08/09: Second beta version released on the site, version 0.20b. Added Firefox3 support plus modified the structure of the file, please see changelog for all modifications and updates.
31/07/09: First beta version released on the site, version 0.12b

Information

A GUI has been written in Perl-GTK2 for creating the timeline. Since the GUI is written in GtK2 it will not work on every OS. It has been tested to work on both Linux (tested on Ubuntu) as well as on Mac OS X (tested on Mac OS X 10.5 and 10.6 with X11 installed and Macports to install dependencies).

please note, I'm not a GUI developer, so if anyone is interested in assisting with this project, you are more than welcome to fix the GUI

Starting from version 0.31b log2timeline includes some output modules that can be used with tools that visually represent the timeline. Although the output module should provide an accurate XML document that can be used by these tools they haven't been tested fully. This site will contain some screenshots and documentation explaining how such visual representation can be made, yet until then...

The latest version also includes a new front-end, called timescanner. Timescanner recursively goes through a directory and tests each file found to see if the tool can parse and extract timestamp data from it. By using that tool one can go through an entire image and extract all available timestamps from artifactst that log2timeline is able to parse.

A quick note to Mac OS X users, there are problems running the openxml.pl input module when using the standard Perl. One way to get it to work is to use the MacPorts version of Perl and install the "p5-archive-zip" and "p5-xml-libxml" packages (port install ...) (please see the INSTALLATION document provided with the tool to get a better description on howto install the tool on different platforms)

Usage

For examples of usage, please see blog posts about the tool:

Visualization

log2timeline now supports exporting data in a XML document that can be read by timeline visualization tools such as CFTL (CyberForensics TimeLab) or SIMILE timeline widgets.

For an example of such a visualization you can see an example case in a SIMILE widget. Another visual example shows the timeline from the same case, except that only browsing history is showed for the user "joe".

Man page

The man page can be reached from here and the changelog here.

Download Area

Log2timeline has been downloaded over 1.300 (1310) times by 637 different source IP's (statistics gathered 27/01/2010)

The current version of the tool is version 0.41, which can be downloaded from here:
log2timeline_0.41 (md5) (sha1)

Beta version (nightly builds)

The current development version of the tool (frequently updated) can be downloaded from here:
log2timeline_current development version

There is no guarantee that this version works at all, since this is the development version of the tool, but it is the most up to date distribution, containing the latest features and bug fixes, so it might be a good place to check out before submitting a bug report.

Older versions

Other download

Other scripts that I've written can be downloaded from here

Donations

If you like this tool, seriously consider donating money to aid furhter development. Donations are really appreciated since this tool is developed in my own spare time (which is often quite limited)

Current Input Modules

log2timeline currently supports parsing the following formats:

Google Chrome history
Windows Event Log files (EVT)
Windows Event Log files (EVTX)
EXIF. Extracts exif information or metadata from various media files
Firefox bookmarks
Firefox 3 history
Internet Explorer history files, parsing index.dat files
Windows IIS W3C log files
ISA server text export. Copy query results to clipboard and into a text file
Mactime body files (to provide an easy method to modify from mactime format to some other)
Opera Global and Direct browser history
OpenXML metadata, for metadata extraction from Office 2007 documents
PCAP files, parsing network dump files created by tool such as Wireshark and tcpdump (PCAP)
Windows Prefetch directory
Windows Recycle Bin (INFO2 or I$)
Windows Restore Points
Windows XP SetupAPI.log file
Adobe Local Shared Object files (SOL/LSO), aka Flash Cookies
Squid Access Logs (httpd_emulate off)
TLN (timeline) body files
UserAssist key of the Windows registry
Windows Shortcut files (LNK)
Windows XP Firewall Log files (W3C format)

Current Output Modules

log2timeline currently supports exporting timeline into the following formats

CEF. Common Event Format as described by ArcSight
CFTL. A XML file that can be read by CyberForensics TimeLab (for timeline visualization)
CSV. Dump the timeline in a comma separated value file (CSV) to easily import it into spreadsheet or use with scripts
Mactime. Both older and newer version of the format supported for use by TSK's mactime
SIMILE. An XML file that can be read by a SIMILE timeline widget for timeline visualization
SQLite. Dump the timeline into a SQLite database, that can be read by possible future visualization tools
TLN. Timeline format that is used by some of H. Carvey tools

Installation

log2timeline requires several Perl libraries to be installed on the system. An installation document is provided with the tool in the docs/ folder (INSTALLATION). It can also be found here.

There is also a nice post on Andrew Hay's blog that describes a method to install log2timeline on the SIFT forensic workstation here. It seems to be missing the "yum install perl-DBD-SQLite" package though.

Roadmap

The very dynamic and flexible roadmap can be seen here where a rough picture of where the tool is heading can be found.

Anyone who is interested in this project can pitch in and either follow this roadmap or create input or output modules that are not listed there. It would be appreciated if all written modules would be sent to the author of log2timeline for inclusion with the tool. The directory "dev" that is included with the tool contains the necessary files and information on how to start creating new input or output modules.