I'm a little late to the party. I can't anwser the OP's orginial question but in one full swoop I'll touch on multiple replies
randomaccess wrote:
got the latest version of log2timeline and Chris Pogues instructions on how to do it (http://log2timeline.net/INSTALL.txt) .
Just a heads up. If you grabbed L2T 0.65 from the Google code site then you will need to install one more module not reflected in those instructions. You need to also do: ppm install JSON::XS Before any asks this info has been forwarded along
davnads wrote:
could not find any MFT Parsers that output to the correct log2timeline CSV format .
Another format to look for is anything that outputs to TLN or bodyfile (Sleuthkit compatible) formats. One example is TZworks ntfs walk (it also suports L2t) http://tzworks.net/prototype_page.php?proto_id=12
If another tool outputs into this format then it will not only work with L2t but also Harlan and TZwork's tools.
davnads wrote:
great if someone wanted to take on modifying Kovar's AnayzMFT.py script or some other parser to output in the correct format as a pet project. .
Speaking about AnalyzeMFT, the tool already outputs to bodyfile format so it wouldn't take much to make it work with L2T. The only thing that needs to be done is to make the bodyfile format so it is compatible with Sleuthkit. I haven't had the time but the fix should be fairly quick; looking at the code myself or contacting David about this is on my to-do list.
Another option is to use TSK's fls.exe to grab the filesystem metadata info. Yes fls.exe doesn't output the $FNA timestamps but the last MFT update in the $SIA timestamp can catch some timestomping programs. If timestamping is an issue then I would go with something that grab both timestamps. When I'm not worried about timestamping fls.exe has been the fastest way to grab the filesystem metadata.
davnads wrote:
Better yet, a separate script that converts, TLN output to l2t CSV format would be more useful. .
This already exists; it's in L2t. I can't speak for the new version since I still haven't tested it out yet but pretty much every Perl version can do this. L2T has the mactime and TLN input modules. All you need to do is one of the following:
log2timeline.pl -f mactime -w timeline.csv file-in-bodyfile-format.txt
log2timeline.pl -f TLN -w timeline.csv file-in-TLN-format.txt
The first command converts bodyfile format to L2T's csv format while the second converts TLN format to L2T's csv format. I have been leveraging this ability for some time and it allows my to leverage multiple tools for timeline generation. I can use RegRipper to get registry info, Sleuthkit to get fileysystem, TZworks to get NTFS artifacts, and L2T to get other formats. I can bring everything in and output to L2T's csv format. This is fairly easy to do especially since I put together a cheatsheet outlining what each tool is capable of and what commands to run.
keydet89 wrote:
you're referring to either log2timeline or plaso...neither of which parses the AppCompatCache value data .
I have to second Harlan on this one. Solely relying on one tool doesn't provide all information that may be relevant. A better option is to combine the functionality of multiple tools. RegRipper has some pretty sweet plugins for timeline creation such as showing program execution (i.e. appcache, userassist, direct). Also, not sure if people read my latest post but the $UsnJrnl file contains a wealth of information that the only tool to provide it in a timeline format is TZworks (based on a past few posts this statement won't be true for long). Lastly, if anyone read David Cowen's post about the $Logfile it also contains a ton of useful information and as of now his tool is the only one to parse the info into a timeline. I guess what it comes down to is what data do you need and what tool or tools can be used to get you that data
joakims wrote:
As I'm rewriting mft2csv, I also thought of adding an option to output in log2timeline format .
Another option is to go with the bodyfile format that is compatible with Sleuthkit. The reason why I say this is that the majority of the timeline tools support this format. Harlan's tools has a script to parse bodyfile format, L2T has the mactime module to has this format, and the TZworks tools support this format. If you want your tool to be versatile then the bodyfile format will make your tool work with what is already out there.
Corey Harrell
"Journey Into Incident Response"
http://journeyintoir.blogspot.com/
↧