log2timeline v0.62 Released

log2timeline is a framework for artifact timeline creation and analysis. The main purpose is to provide a single tool to parse various log files and artifacts found on suspect systems (and supporting systems, such as network equipment) and produce a body file that can be used to create a timeline, using tools such as mactime from TSK, for forensic investigators.

Changelog v0.62
- [FF_CACHE input] New input module, designed to parse the cache files of Firefox. Contributed by John Ritchie
- [OPENVPN input] New input module, desigend to parse the OpenVPN log files.
- [L2T_PROCESS] Added a few more allowed characters in the keyword list
- [proftpd_xferlog input] Willi Ballenthin added a new module to parse the ProFTPD XFerlog file
- [Log2Timeline library] Fixed a bug, when the 'all' moduiles option is used (or -f is omitted) no modules get loaded
-Added a small change to try to parse the MFT directly even though the $MFT might not be directly visible
-Fixed a small bug whereas the tool would crash if the local timezone was used.
-Fixed a small bug whereas the tool is not able to find the default directory (. does not exist) or if the file in question does not really exist that the tool is pointing to... that made the tool return a double error instead of just dying on the first one.
-The tool will now accept a separate output timezone so the tool can output in a different timezone than the hosts one.
- [log2timeline] Added the -Z ZONE parameter so the tool can output in a different timezone than the host timezone.
- [CSV output] Changed the output timezone so it now prints using the -Z definition, so it now supports different output timezone than the host one.
- [EVTX input] Fixed a bug in where the tool could go into a endless loop in the case where you have a EVTX that is somehow broken and the function get_next_event dies. If the tool runs into such occurance it returned an empty timestamp object, that in turn let the tool query for it again, thus possibly getting into an endless loop.
Added a counter so the tool tries to get the next event 50 times, otherwise it will die.
- [log2timeline-sift] Moved the mount command out of the script and into the configuration file
- Changed the mount command, since there were few errors with the previous one
- Added an addional check to see if the $MFT file can be directly called (and if so, skip the icat call)
Download log2timeline v0.62
29b377af39e89d26b6246f6a22c07e55 log2timeline_0.62.tgz

MaxiSoler

www.artssec.com @maxisoler
Strengthening Security: ToolsWatch Welcomes Dr. Magda Lilia Chelly and Vivek Ramachandran to Black Hat Arsenal’s Board of Review

Strengthening Security: ToolsWatch Welcomes Dr. Magda Lilia Chelly and Vivek Ramachandran to Black Hat Arsenal’s Board of Review

GISEC Armory Edition 1 Dubai 2024 – Call For Tools is Open

GISEC Armory Edition 1 Dubai 2024 – Call For Tools is Open

Black Hat Arsenal 2024 Next Stop Singapore !

Black Hat Arsenal 2024 Next Stop Singapore !

ToolsWatch introducing Armory at Gisec 2024 in Dubai: A New Arena for Cybersecurity Open Source Tools Announced

ToolsWatch introducing Armory at Gisec 2024 in Dubai: A New Arena for Cybersecurity Open Source Tools Announced

Unveiling the Awesome Lineup for Black Hat MEA Arsenal 2023 in Riyadh, KSA

Unveiling the Awesome Lineup for Black Hat MEA Arsenal 2023 in Riyadh, KSA

Announcing the First Black Hat / ToolsWatch SecTor Toronto 2023 Arsenal Tools and Their Impact on the Community

Announcing the First Black Hat / ToolsWatch SecTor Toronto 2023 Arsenal Tools and Their Impact on the Community