Log2Timeline
What is log2timeline?
Parse Data
#### IN ORDER ####
#Exlude option in parser
log2timeline.py --parsers 'win7,!filestat' --storage-file DESTINATION.dump SOURCE-IMAGE.dd
#MFT body file blf for newline, bdl for drive letter specification
MFTECmd.exe -f "E:\$MFT" --body "C:\timeline" --bodyf mftecmd.body --blf --bdl C:
#Append MFTEcmd output to plaso.dump
log2timeline.py --parsers 'mactime' --storage-file c:\timeline\plaso.dump c:\timeline\mftecmd.body
#Psort convert - Default UTC
psort.py -o l2tcsv -w timeline.csv plaso.dump
#noise reduction
grep -a -v -i -f C:\timeline\timeline_noise.txt C:\timeline\timeline.csv > C:\timeline\supertimeline.csv
#### IN ORDER ####
#Include filter file to parse specific directories/artifact locations. YAML filters are recommended.
log2timeline.py --filters filter_windows.txt --storage-file DESTINATION.dump SOURCE-IMAGE.dd
#Include parser
log2timeline.py --parsers win7 --storage-file DESTINATION.dump SOURCE-IMAGE.dd
#List parsers in log2timeline
log2timeline.py --parsers list
#Exlude option in parser
log2timeline.py --parsers win7,\!prefetch --storage-file DESTINATION.dump SOURCE-IMAGE.dd
#Run parser against locations within the filter
log2timeline.py --parsers webhist --filters filter_winodws.txt --storage-file DESTINATION.dump SOURCE-IMAGE.dd
#output information about plaso.dump file
pinfo.py plaso.dump | more
#Output plaso.dump into a CSV. Psort outputs UTC as default.
psort.py -z UTC -o l2tcsv -w timeline.csv plaso.dump
#Specify timeline of plaso.dump file
psort.py -z UTC -o l2tcsv -w timeline.csv plaso.dump "date > 'yyyy-mm-dd 23:59:59' AND date < 'yyyy-mm-dd 23:59:59'"
#Slice +/- 5min in plaso.dump
psort.py -z UTC -o l2tcsv -w timeline.csv plaso.dump --slice 'yyyy-mm-dd'
#List information on psort commands
psort.py -z UTC -o list
#Psteal.py all in one
psteal.py --source Win10_xxxx.dd -o l2tcsv -w timeline.csv
The dump file is a SQLite database
Considerations
Anti-Forensics
Last updated
