Version 0.50 (30/06/10) - [VOLATILITY] An input module created by Julien Touche has been added that parses the output from psscan2 module of the Volatilty framework - Updated the input module to take advantage of the new timestamp object - Modified the module to both use the psscan and psscan2 output - Modified the module a bit to fix some issues with multiple date objects - [TLNX output] Created a new output module that outputs in the TLN format, using XML as the output method - [BEEDOCS output] Created a new output module that outputs in a TDF (tab delimited file) that can be imported into BeeDocs for visualization - [log2timeline] Modified log2timeline so it can handle the new t_line timestamp object - Modified the man page (the pod section) to reflect the changes made to the framework - Added the option of -n to define the host name - Modified the -c option, which is ambigious (both -c => calculate and check). Now -c means calculate and -u or -upgrade means the version checking - Modified the version checking, added check for a proxy settings, using environment variables (no manual proxy settings supported yet) - [timescanner] Modified timescanner to accept list of input modules that it will use during it's scan. The addition is implemented so that the user can supply -f LISTNAME where LISTNAME is either a name of a .lst file (predefined lists of known input modules), see the available files by issuing -f list LISTNAME can also be the name of the module to scan, or a list of them (comma separated) (see man for further detail) - Added support for the new timestamp with the possibility to use the old timestamp object (backward compatibility) - Added a field, if a file has been successfully parsed, no more checks are made against it - Sort the input modules run agains files, exif is always the last - Made some optimization changes to the tool - Added the option of -n to define the host name - [glog2timeline] Upgraded so it can use the new timestamp object - Added the limited proxy support (using env, not manually set) - Fixed a typo in the GUI, sucpect became suspect (thanks Chris Shanahan for pointing this out to me) - [TLN output] Modified the TLN output module so that it can handle the new timestamp object - Added a check to see if the timestamp is of zero value (or less), not to print those timestamps - [TIME library] Added the fix_epoch function back into the tool, upgraded it so that it considers DST - Fixed the epoch2iso function - Added a check to hash_to_date function to fix a bug in the mcafee input module - Fixed an issue with date calculations in the pdf_to_date function, now date addition/subtraction is done through datetime, not by simple calculations which often lead to errors (especially when offsets in dates caused the day to cross an illegal date, such as 31st of a month that only has 30 days in it) - [BINREAD library] Added the function read_ascii_magic that reads an ascii string until it hits either the maximum amount of entries, the null value or a predefined magic value that can be of arbitrary length. - [COMMON library] Added few more options to the get_username_from_path function. - [MACTIME output] Upgraded the output module so that it can handle the new timestamp object - [ALL input modules] Modified the verification phase, to help speed up verification - [RECYCLER input] Upgraded the input module to use the new timestamp object - [EVT input] Upgraded the input module to use the new timestamp object - Added a small check to see if there is a reference to a KB article - Changed the usage of , to - to avoid confusion with the CSV output - Added a support for KB article check, and to add the KB link to the URL field - [EVTX input] Upgraded the input module to use the new timestamp object Fixed a bug in the library where timestamps would appear as zero value - [EVTX Library] Updated to the latest version, 1.0.5 - [CHROME input] Upgraded the input module to use the new timestamp object - [EXIF input] Upgraded the input module to use the new timestamp object - Added more checks to validate if the file is a XML file (skip if it is, XML files tend to take up awful lot of memory) - [FF_BOOKMARK input] Upgraded the input module to use the new timestamp object - [FIREFOX3 input] Upgraded the input module to use the new timestamp object - [IEHISTORY input] Upgraded the input module to use the new timestamp object - Also fixed a bug where some timestamps are written using Local timestamp. That is to make the iehistory file more location aware. The module will now check the location of the index.dat file to compare it to predefined set of locations. This is done since some timestamps are stored in local timezone, such as the weekly history files, whereas others are stored using UTC, like the master history file. - Added path checking to verify which type of index.dat file we are dealing with and assigning the date and timestamps accordingly - A bug fix, sometimes additional characters were added to the printing of header information (reported by Stefan Kelm) - [IIS input] Upgraded the input module to use the new timestamp object - [ISATXT input] Upgraded the input module to use the new timestamp object - [MACTIME input] Upgraded the input module to use the new timestamp object - [OPERA input] Upgraded the input module to use the new timestamp object - [OXML input] Upgraded the input module to use the new timestamp object - Changed the output a bit, to add more context to it. - Fixed a minor bug, causing timescanner to spew additional timestamps into objects. That is an array wasn't initialized, causing timescanner to reuse the array that stored the timestamps extracted from previous documents. - [PCAP input] Upgraded the input module to use the new timestamp object - [MCAFEE input] Upgraded the input module to use the new timestamp object - [PDF input] Upgraded the input module to use the new timestamp object - [PREFETCH input] Upgraded the input module to use the new timestamp object - Fixed few parts of the input module, to make it more optimized, reduced the time it took to run by half - [RECYCLER input] Upgraded the input module to use the new timestamp object - [RESTORE input] Upgraded the input module to use the new timestamp object - [SETUPAPI input] Upgraded the input module to use the new timestamp object - [SOL input] Upgraded the input module to use the new timestamp object - [SQUID input] Upgraded the input module to use the new timestamp object - [TLN input] Upgraded the input module to use the new timestamp object - Added support for the optional 7 fields (added TZ and Notes) - [USERASSIST input] Upgraded the input module to use the new timestamp object - Fixed a small bug, if a username is not found the module called a wrong function to guess the username from path - [WIN_LINK input] Upgraded the input module to use the new timestamp object - Changed the way volume serial numbers are presented from decimal to hex (tool consistency) - [XPFIREWALL input] Upgraded the input module to use the new timestamp object - [CEF output] Modified the output module so that it can handle the new timestamp object - [CFTL output] Modified the output module so that it can handle the new timestamp object - [CSV output] Modified the output module so that it can handle the new timestamp object - [MACTIME_L output] Modified the output module so that it can handle the new timestamp object - [SIMILE output] Modified the output module so that it can handle the new timestamp object - [SQLITE output] Modified the output module so that it can handle the new timestamp object - Changed all references to BLOB to TEXT, easier to index and search through - Removed the host table, since it was unnecessay - [TLN output] Modified the output module so that it can handle the new timestamp object Version 0.43 (06/04/10) - [MCAFEE input] Fixed a small bug where the input module would not parse the month value if it was only a single digit - [timescanner] Temporary fix was added, excluding index.dat files that are inside daily or weekly history files - [EVTX input] Fixed a flaw with the EVTX library, where timestamps appear as zero value - Created an Ubuntu repository to make the installation process easier. I created Debian packages for those modules that do not have any packages as of yet in the official Debian repository. - Log2timeline has also been included in the CERT forensics repository (for Fedora). So add the CERT repostory to your Fedora workstation (http://www.cert.org/forensics/tools/) and issue yum install log2timeline. All dependencies should be fixed as well. - [FIREFOX2 input] Added a Firefox 2 input module to parse the history.dat mork file - [OXML input] Fixed a minor bug, uninitialized array that caused timescanner to reuse timestamps from previous documents Version 0.42 (05/03/10) - [MCAFEE input] Added an input module that reads the log files produced by the McAfee antivirus product - [PDF input] Added an input module that reads PDF metadata (not XMP) to extract timestamps from PDF documents - [OPERA input] Fixed a minor bug in the Opera input module that lead to the fact that every Opera Global History file wasn't verified (and therefore not parsed). Also fixed a minor bug that caused username in some cases not to be properly printed - [USERASSIST input] Small modification to the output of the tool when the new version of NTUSER.DAT file is used Added a GUID check to the older XP format of userassist keys Added a title or shorted description field of the user assist keys - [CSV output] Modified the CSV output, only one time per entry and a type field added (more like the original mactime) - [log2timeline] Added a new field called notes to the timestamp object to include additional information about the event in question - [EVT input] Added a link to eventid.net for event description in the note field of the timestamp object - [SQLITE output] Modified the SQL structure as well as how the data is included in the database field - [TLN output] Properly coded the TLN field so that it contains one entry per timestamp (older version used only crtime) Modified and updated the code to reflect the current state of the standard (updates to the standard were made) Using both optional fields, that is the TZ and Notes field for further describing the event in question - [XPFIREWALL input] Fixed an issue with an almost empty line (containing only space/s Added a check for the time zone information (to gather and record time zone settings to correct timestamps) - [PREFETCH input] Updated the code a bit, making the text clearer as well as to simplify the date used, now only the time parsed out of the prefetch file is used as a timestamp as well as adding the extraction of the name of the executable to be parsed out of the prefetch file Added more detailed information retrieved from the Prefetch file, extract loaded DLL names and print it along with the prefetch information Added support for Windows Vista/Win7/.. Superfetch files. The version of the prefetch file is determined automatically or newer version of the Windows operating system (the default behaviour is the XP prefetch file) Fixed a small off by one bug (one prefetch file was not processed) Fixed a small bug, causing Prefetch information not to be included in timescanner output - [SOL input] modified a small bug in the assignments of date values, not all timestamps were properly set when a timestamp was found within the sol file Another minor bug was fixed, the value of TRUE and FALSE in boolean values was switched Modified the presentation of information, that is to translate double numbers that represent date objects into human readable format Added path information taken from the main module (-m parameter) to include with the file name Added another date check in the output (to modify epoch time to human readable one in the output format) - [FIREFOX3 input] Removed a false fix_epoch statement, there is no need to fix the epoch value - [OXML input] Added path information taken from the main module (-m parameter) to include with the file name - [EXIF input] Added path information taken from the main module (-m parameter) to include with the file name - [WIN library] Added few more GUID's that are XP specific as well as others that are third party related and Vista/Win 7 specific - [CFTL output] Added few more text replacements so the output is properly imported into CFTL - [TIME library] Fixed a bug in the sol_date_calc function, uncorrectly calculated timestamps from the time value passed to it Removed the fix_epoch function, since it is not necessary and can lead to false results Added an option to epoch2text to print the time in the use supplied time zone Added an option to calculate dates from PDF documents (to accomodate the PDF input module) Added a check to sol_date_calc to see if the variable passed in is higher than a fixed number (epoch from a date in 1995) and less than the current date plus 20 years - [log2timeline] Added a check to see if the inode value was empty, and then fill it up with the correct value Added the option of -calculate to calculate md5 sum of the file in question (included in the md5 part of the timestamp object) Changed all references to \ to /, to make all paths more consistent Added a check to see if -m was used then the value of it would be added as a path parameter to the input module (to include it in the filename path) - [timescanner] Added a check to see if the inode value was empty, and then fill it up with the correct value Added the option of -calculate to calculate md5 sum of the file in question (included in the md5 part of the timestamp object) Changed all references to \ to /, to make all paths more consistent Added a check to see if -m was used then the value of it would be added as a path parameter to the input module (to include it in the filename path) Added a counter, showing how many files were processed by the tool (printed in the end of the run count alongside the run time of the tool) - [most input modules] Changed the verification phase so that it starts by checking if this really is a file (-f) instead of just checking if the input is not a directory or if it exists (-e). There was problems when trying to parse FIFO or other types of non standard files. This caused problems in Vista/Win 7 images that made timescanner run to a halt while trying to verify the structure. - [Parse:Evtx] Updated the Parse::Evtx library by Andreas Schuster to version 1.0.3 Version 0.41 (15/01/10) - [CHROME input] Added a new input module for Chrome browser history - [OPERA input] Added a new input module for Opera history files (both DIRECT and GLOBAL history files) - [CEF output} Added an output module for the Common Event Format (CEF) - [FIREFOX BOOKMARK] Added a new input module for Firefox bookmark file - [EVTX] Added a new input module for Windows Event Log files (EVTX) for Windows Vista and Win 7, based on the EvtxParser libraries by Andreas Schuster - [output modules] Added a constructor to all the output modules to include the possibilty to send parameters to the output modules - [SOL input] Almost rewrote the entire parser for SOL to correct several problems with the input module. - [FIREFOX3 input] Few bug fixes in the Firefox 3 module, missing some fields in the t_line hash as well as to add the host parameter Modified the verification process so that instead of trying to select a value from moz_places a list of all available Added information from the moz_items_annos and moz_bookmarks table to include bookmark information from Firefox 3 - [USERASSIST input] added a missing field in the t_line hash as well as to fix a minor bug that caused UserAssist input module not to parse any file when timescanner was used. Added support for Windows Vista and newer operating systems, based on an article by Didier Stevens in IntoTheBoxes magazine (1q2009) - [WIN library] Added a new library called Win (Log2t::Win) which will contain various information extracted from a Windows system. This first version only contains a list of known GUIDS that can be extracted and used by various modules - [MACTIME output] Fixed a small bug, where the pipe symbol might be a part of the name part (change all | to ::pipe:: before outputting) - [MACTIME_L output] Fixed a small bug, where the pipe symbol might be a part of the name part (change all | to ::pipe:: before outputting) - [COMMON library] Added a function to "guess" the username from the path of the file - [CSV output] Modified the output slightly, dates come now first, and they are in a human readable format instead of Epoch tables is selected, and it is checked whether or not moz_places exists in that list (the other method resulted in various error messages when timescanner found a SQLite database file that did not contain moz_places - [TIME library] Added a few checks in the exif_to_epoch function to accomodate new behaviour in exiftools 8.00 Added the offset check, and check for negative offsets sent to the input module by Exif - [EXIF input] Modified the way the information is presented a bit, moved the name of the metadata variable in front of the text to make it more clear what was being referred to as well as to add the group name. Removed few tags from the reading, such as ZIP (recursive scan through ZIP files) as well as File (don't care about filesystem time) Also added a check if the input module is parsing PE files to make them more readable - [update_log2timeline] Added a bash script to automatically update the tool. It fetches the binaries from the web site, verifies the MD5sum of the file and then extracts and installs it. The script has a switch to indicate that the user want's to download the nightly builds instead of the newest released version. - [SETUPAPI input] Fixed a bug in the SetupAPI input module that caused all the lines in the body file to contain the first found date in the file Modified the verification, reading the file as binary to only scan the first portion of the file (instead of trying to read a line from a large file) - [log2timeline] Added an extra field to the t_line hash in the front-end, the field filename that includes the original file name. Added a call to the constructor new() of the called output module, and passed along the array ARGV Modified the check for new version function. Added a text indicating that the user can use the tool update_log2timeline to update the tool automatically Updated the man information (the pod) Added a switch, -d for debugging information (debugging is sent to input modules as well) - [glog2timeline] Added an extra field to the t_line hash in the front-end, the field filename that includes the original file name - [timescanner] Added an extra field to the t_line hash in the front-end, the field filename that includes the original file name Added a call to the constructor new() of the called output module, and passed along the array ARGV Added a printout in the end of run, indicating how long it took for the tool to complete it's run (an indication that the tool completed successfully as well) Added a check to see if local timezone was chosen. If the local timezone is chosen it is printed on the screen (that is what the tool detects as the local timezone) Increased the verbosity of timescanner -h to include the options of the tool Added a small check to see if a file is a symbolic link, don't test symbolic links (the tool ends up in a loop, checking the same file again and again Added few more debugging information and a check to invoke debugging in input modules if called with -vv - [IEHISTORY input ] Added a check for invalid HASH table reference - [IIS input] added a missing field in the t_line hash Modified the verification, reading the file as binary to only scan the first portion of the file (instead of trying to read a line from a large file) In some IIS log file there isn't a field called date, it is instead defined in the header of the file, check for those files - [ISATXT input] added a missing field in the t_line hash Modified the verification, reading the file as binary to only scan the first portion of the file (instead of trying to read a line from a large file) - [MACTIME input] added a missing field in the t_line hash - other minor improvements Modified the verification, reading the file as binary to only scan the first portion of the file (instead of trying to read a line from a large file) - [OXML input] added a missing field in the t_line hash - [PCAP input] added a missing field in the t_line hash and added TCP sequence number to the output (request) - [RECYCLER input] added a missing field in the t_line hash - [PREFETCH input] added a missing field in the t_line hash - [SQUID input] added a missing field in the t_line hash Modified the verification, reading the file as binary to only scan the first portion of the file (instead of trying to read a line from a large file) - [RESTORE input] added a missing field in the t_line hash as well as to change the dates provided. Now the only date that is read is the installation of the restore point, instead of including the atime,ctime and mtime of the file itself (that one is provided with fls) - [TLN input] added a missing field in the t_line hash Modified the verification, reading the file as binary to only scan the first portion of the file (instead of trying to read a line from a large file) - [WIN_LINK input] added a missing field in the t_line hash - [XPFIREWALL input] added a missing field in the t_line hash Modified the verification, reading the file as binary to only scan the first portion of the file (instead of trying to read a line from a large file) Added TCP seq numbers into the output Version 0.40 (25/11/09) - [CFTL output] Fixed few bugs in the cftl.pm output module, didn't work in the current CFTL version without these modifications (has been verified to work with CFTL pre-relase version 1.0) - [EXIF input] Fixed a bug in the exif input module, there was a problem with the format of date variables read by ExifTool library. Added a format string to force the date format to be the same. - [glog2timeline] Modified the GUI, glog2timeline to make it feature compatible with the CLI interface, added: + Simple menu structure + Added the possibility to add timeskew information + Added the possibility to prepend text to output (a la -m) + Added the possibility to perform most of the operations through the menu structure + Added the possibility to check for latest version (version check) + Added a simple progress bar and information about the artifact being processed [more work needs to be done here] + Added the possibility to define the timezone of the suspect drive (list all available timezones sorted, using UTC as the default zone) - [List library] Modified the name of the Log2t::List library to Log2t::Common so that the library can be used for all common functions that are shared between more than one module (instead of only focusing on listing directory entries) - [BinRead library] Fixed few bugs in the BinRead library that dealt with Unicode reading - [WIN_LINK input] Modified the text output of win_link input module, to make the output more readable - [RECYCLER input] Modified the recycler.pm so that it reads the recycle bin directory instead of the INFO2 file. Added the possibility to read $I files as well (the newer format as used in Vista, Windows 7 and later operating systems from Microsoft). The new input module reads the directory and determines if it is examining the older or newer version of the recycle bin and parses accordingly - [timescanner] added a banner to timescanner, giving people warning about the tool, since there have been reports of it being unreliable in parsing all files that it should be able to do. This banner will stay until the tool has been fixed (coming version) - [timescanner] added the possibility to add timezone information, as well as to add a timezone related functions to be used by libraries - [timescanner] Fixed a bug, forgot to close the input module after parsing an artifact (creating some problems) - [USERASSIST input] fixed a bug in the userassist module. It crashed if it encountered a registry file it was unable to load (eg NTUSER.DAT.LOG), added a check for that, so timescanner will not die when he reaches such a file - [FIREFOX3 input] added an extra check in the verify routine to double check that we are in fact examining a FF3+ history database, now connecting to the database to see if there is a moz_places table there before proceeding. Added few error message checks as well, to improve the error handling of the verification. Fixed a bug where Firefox 3 history files were not included in the timescanner tool (had to do with the verification and improper check if the database was locked) - [log2timeline] Added the possibility to define the timezone of the suspect drive (-z ZONE parameter). The default timezone is local (that is the local timezone of the analysis station). This affects the timesettings of all artifacts found on the system and adjusts it accordingly). The option of "-z list" will print out a list of all available timezones that can be chosen. - [OXML input] Modified the verify function, only read the ZIP header if the magic value of the file indicates that this is a ZIP file (reduces time needed for the verification function, and therefore reduces the time needed for timescanner) - [Common library] Added constants to the Common library (BIG_E and LITTLE_E) that are shared with other libraries and modules - [input modules] changed all input modules that call the BinRead library so that they initialize the endian. This fixes a bug in timescanner, since some input module set the BinRead to big endian, which is not changed back when another input module that reads in a little endian was started (making verification and all uses of binary reading wrong, leading to the fact that timescanner did not parse the files) - [Time library] Added a function called fix_epoch to take an epoch value, and use the supplied timezone settings to modify it to UTC - [input modules] Modified the input modules so that they all now output the timezone information in UTC - [Setupapi input] Modified the SetupAPI input module, considerable changes made in the way that the file is parsed - [log2timeline] All input modules now output their time in UTC, irrelevant of the method of storing time entries. This makes it vital to add a parameter to define the timezone of the suspect drive - [evt] Added a new input module that is capable of parsing Windows 2000/XP/2003 Event Log files (mostly rewrite of evtparse.pl by Harlan Carvey) Version 0.33b (15/09/09) - Fixed a bug in iehistory.pm, small bug when reading index.dat files that contain no history - Fixed a bug in iehistory.pm, directory names not correctly read as well as header information (sometimes these values contained unreadable characters) - Fixed a bug in mactime.pm input module, small bug in the validation, all mactime files failed - Fixed a bug in the tln.pm input module, files weren't validated (all files failed validation) - Updated the List.pm library so that the input modules and output modules are sorted when the option of -f list or -o list is used Version 0.32b (10/09/09) - Fixed few bugs in both iehistory.pm and userassist.pm - Created a new library, Network.pm to include information about network traffic - Added an input module for parsing SetupAPI log file in Windows XP - Added an input module for parsing Flash cookies, or Shared Object Libraries (SOL) from Macromedia - Updated few libraries (BinRead, Time) - Added an input module for parsing XP Firewall logs - Added a new feature into log2timeline, version checking. Use logtimeline -c to check if you have the latest version installed of the tool Version 0.31b (07/09/09) - Added a format file to read EXIF data - Added a new tool called timescanner to recursively scan through directories, searching for artifacts to parse (testing against all supported artifacts) - Added an output module to output in a CSV file - Created a Makefile.PL to provide a different mechanism for installing the tool. The script install.sh is no longer used, and all input modules are now copied to a Perl library directory, along with other Log2t library files. The use of "use lib '/usr/local/share/log2timeline/lib'" has been removed from all input modules since it is no longer needed and all front-ends have been adjusted to accommodate the new setup - Created a new library, List.pm (Log2t::List) to list up all input and output modules Version 0.30b (02/09/09) - Fixed a bug in the sqlite output plugin, escape sequence not properly inserted - Small changes made to the restore point format file - GUI, glog2timeline added to provide an alternative method to create body files, so now there are two possibilites to use the modules, by using a CLI version and a GUI (GUI is written using perl-gtk2 meaning it will propably only work in Linux). This first version of the GUI is very limited, more to show the possibility to have a GUI, will be fixed in later versions - Modified the sqlite output plugin, changed the SQLite database structure to accomodate a scheme that will be later used by a graphical front-end - Created the first version of the PCAP format file (will be upgraded later) - Changes made to all format files to speed up processing, optimization changes made and modifications to the flow of information from main script to and from the format and output files (to speed things up) - Modified the log2timeline main script to accomodate the optimization changes made in the format files (references used considerably more instead of passing arguments) - Removed common functions from the log2timeline main script and included them in seperate libraries that are stored in the library path. This creates a way for other front-ends to use the format files, such as the GUI or a scanner - Modified format files so that they use the libraries instead of calling parent function (main script) - Created a BinaryRead library file to make reading binary files easier (code reuse really) - Added a new output module, an XML file that can be read by SIMILE timeline project to visually represent timeline data (this is just the XML file, work needs to be done to create HTML documents or other web sites to present the data) - Added an output module to output in the XML format that the tool CFTL (CyberForensics TimeLab) can use to visually represent timeline data - Added a format file to parse Internet Explorer history file, index.dat - Modified log2timeline so it removes footer from files when appending to timelines Version 0.22b (10.08.2009) - Added format file for TLN format, that is body files that are built using the TLN or timeline format - Added format file for OpenXML documents, such as docx, pptx and other documents created by Microsoft Office 2007. - Added iso2epoch function to log2timeline for convertion of iso 8601 date formats to epoch (for timeline) - Added format file for mactime input - Added format file for ISA text export (that is query into the ISA firewall/proxy for a certain web traffic, copy all contents to the clipboard, save to a file and parse through log2timeline. One warning about this format file, it has only been tested on one particular ISA server so no guarantee about the accuracy of this format file (until further tested) - Added the option to output directly to a file, that is to let the tool output to a file instead of just using STDOUT and STDERR - Added an output plugin for dumping records into a SQLite database Version 0.21b (07.08.2009) - Fixed few bugs in the win_link.pl format file: Unicode characters were not printed correctly Empty strings appeared on few places No verification that the file was truly a LNK file (no check for magic value) Control characters were printed out with the path name Path name not correctly read, size of strings included in printout Added distinction between path name and other paths and strings (relative path, working directory, comments and cmd line arguments) - Added verification code to the firefox3 format file - Fixed few print settings in log2timeline, print error msg to STDERR as well as sending the ARGV array into the format files, to add the possibility to have parameters/options sent to format files - Added format file for IIS log files (W3C) - Added output file TLN (timeline format) from H. Carvey, five field format - Modified format files so that they include necessary information for TLN format output - Added parameter reading to all format files, parameters can now be sent to format files and most of them accept some (for additional info needed for TLN creation for instance) Version 0.20b (04.08.2009) - UserAssist: username is gathered from NTUSER registry and added to timeline - Seperated the output to a special output file, created a structure to output in different modes (other than mactime format) - Created the mactime output file (default behaviour) - Created the mactime_l output file, for legacy output (older versions of TSK), fixed the older version of the legacy output which did not work correctly (not using the correct legacy format) - Minor bug fix in the install.sh (the install script) - Minor bug fix in the log2timeline script as well as adding an additional check before calling format files (check to see if dir or file exist prior to calling script) - added Firefox3 format file Version 0.12b (31.07.2009) - pod created for further description of tool and to print help messages - print_help function deleted from main script and pod2usage used instead - man page created for the tool (using pod2man) - minor changes to the prefetch format file - format file for Windows shortcuts added (win_link) - format file for Windows INFO2 (recycle bin) added Version 0.11b (20/07/2009) - Fixed few minor bugs in tool Version 0.1b - First beta release of tool