Log2Timeline is an open source tool developed by Kristinn Gudjonsson focused on creating timelines with the purpose of digital forensic examination. With its ability to perform cross platform, it has become increasingly popular and bundled with open source forensic tools. The forensic distributions SIFT and TAPEWORM come with log2timeline preinstalled and set as primary tools on their systems. SIFT has a branched version of Log2Timeline that automates the creation of a supertimeline in the command line, while TAPEWORM uses log2timeline but places a custom graphic interface that simplifies the command for the end user. In addition to Linux distributions, Log2timeline also runs on Microsoft Windows via the command line.
SIFT is a preconfigured virtual machine appliance free to download from the developer’s, SANS Forensics, website http://computer-forensics.sans.org/community/downloads. Once downloaded, SIFT can be run through any virtualization software, though it was built using VMware Workstation 8.0. It is recommended that VMware Workstation 9.0.2+ or the latest version of VMware player 5.0 is used if it is available since it resolves a handle issue when reading and writing to the host machine (http://communities.vmware.com/thread/425760.) Once the VM is downloaded and running in the virtualization software of choice, the SIFT desktop appears with a terminal window opened. From here the E01 or DD image can be mounted (See Rob Lee’s Guide on the process http://computer-forensics.sans.org/blog/2011/11/28/digital-forensic-sifting-mounting-ewf-or-e01-evidence-image-files) to one of the premade mount points linked on the desktop. Once the E01 or DD is mounted, the log2timeline-sift command can be run to begin a timeline creation for any Windows NTFS partition on the selected image. Once log2timeline-sift is completed, the output is saved to the cases folder, which is linked on the desktop.
Running the normal version of log2timeline is successful for the Linux and Mac partitions, though involves many more switches and longer file paths. Regardless it still produces the timeline for the selected partition. The only issue we faced in SIFT was getting the log2timeline command to save the CSV timeline output to a .csv file, as it continued to print it in the terminal window regardless of the –w (Write to file) switch or any cat or tee attempts.
TAPEWORM, like SIFT, is also a preconfigured virtual machine appliance free to download from the developer’s, TASC, website http://feedthetapeworm.com/?page_id=91 . When the VM is downloaded, it can be launched in any virtualization software. TAPEWORM was built in VMWare Workstation 7, though will run in any version. Once again it is recommended to run TAPEWORM with VMWare Workstation 9.0.2 or later as it resolves the handle leak issue mentioned above. This issue is much more present with TAPEWORM as, unlike SIFT, it reads and writes the output directly to the host machine. Once TAPEWORM is powered on, the desktop loads with the TAPEWORM graphic interface. On this interface is an evidence select button, a destination select button and the ability to select a range of tools, each with all of their options, from log2timeline and regripper to bulk extractor and volatility. Each of the 12 included tools is fully automated and will generate a report in the output destination for each of the selected tools and options. In TAPEWORM there isn’t any need to use the command line, though it is available if the user would prefer to use it. TAPEWORM does contain log2timeline though does not have the custom log2timeline-sift. TAPEWORM works on all three of the partitions I ran across it including Windows 7 NTFS, Linux EXT4, and Mac OSX 10.6 HFS+ without any issues.
Since Log2Timeline is cross platform, it is available to be installed on Windows 7. On the Log2Timeline website, there is an install guide (http://log2timeline.net/INSTALL.txt) that describes the process for install on a Windows XP SP3 based machine. We went through and followed the steps in the install.txt and was able to successfully run log2timeline, though the install was tedious as we had to download, unzip, and place files in the correct directory so that the install. To make this easier we have written a python script that will automatically follow all the steps set in the install.txt including download and unzipping. We will be updating the code, but the Beta can be downloaded here: http://bit.ly/115suGG. Log2Timeline can be run after the script is installed from C:\Perl64\bin\ as perl log2timeline in the command prompt. To run it against an image, we had to mount the E01 using FTK Imager and mount each partition as a drive. Only the NTFS Windows 7 and FAT Linux Swap partitions were recognized, since Windows does not natively read HFS+ or EXT4. (Though if you have found a way to set windows to mount either partitions as a directory, Log2Timeline can then run through it.)
Overall Log2Timeline is a great tool for timeline creation. It does require knowledge as to the commands and switches necessary to create a timeline so that
-Chapin Bryce