corey_h wrote:
Joakim,
Thanks for sharing this. There aren't that many tools (available for free) capable of parsing the $LogFile so this fills a huge void in the current tools. The ability to parse the $UsnJrnl file as well is icing on the cake. I only started to test and learn about the tool. Quick question though, do you have any plans to produce a log2timeline csv formatted output similiat to your mft2csv tool? It would be nice for it to be an option for both the $Logfile and $UsnJrnl file to make it easier to incorporate it into a timeline.
Thanks once again for writing this.
Corey Harrell
"Journey Into Incident Response"
http://journeyintoir.blogspot.com/
Hi Corey
Currently I am not sure how to best implement an optional log2timeline csv. It may happen but I am not sure yet. Inputs are welcome.
For instance I am wondering how a decoded INDX record as found in $LogFile should be put into that particular format. And some transactions don't have timestamps tied to them (although it usually may be resolved into something roughly close to the truth, now excluding the usage of $UsnJrnl totally). Because of the timestamps being present in $UsnJrnl (as well as having a small number of variables in each records), it is much easier to implement (log2timeline or anything basically) for that file, than $LogFile. Then you have challenges like partial information about an $attribute change, where all you have is a fraction of the new attribute, without necessarily having information about the original attribute. For instance in 1 record, there is information that an attribute was changed and all you have is the file reference number at the time of transaction (which may have been overwritten since then), plus 2 fully decoded $STANDARD_INFORMATION fields/values, and 1 partial which could not be resolved (actually it can under certain circumstances, but not at all easy). So, how would that fit in?
I definetely need to think more about this before going about to implement somehting like that.
Just updated to new version, with some important bugfixes that previously caused it to crash on some systems.
Btw, the NTFS File Extractor was also updated, now supporting the extraction of files directly from shadow copies (like for instance the $MFT and $LogFile). Maybe interesting.
↧