Friday, November 30, 2012

Timeline Analysis


Log2timeline 0.65 on Windows 7 with Strawberry Perl

Install Strawberry Perl 5.16.2.1 from http://strawberryperl.com.

Open a command prompt and past the following into it to install the additional perl modules log2timeline needs:

cpan DateTime Date::Manip XML::LibXML Carp::Assert Digest::CRC Data::Hexify Image::ExifTool File::Mork DateTime::Format::Strptime Parse::Win32Registry HTML::Scrubber Mac::PropertyList XML::Entities

**Note, run this command a few times to make sure that everything installed correctly, if it did you should see the following results.  


C:\Users\matt>cpan DateTime Date::Manip XML::LibXML Carp::Assert Digest::CRC Data::Hexify Image::ExifTool File::Mork DateTime::Format::Strptime Parse::Win32Registry HTML::Scrubber Mac::PropertyList XML::Entities
CPAN: CPAN::SQLite loaded ok (v0.202)
Database was generated on Sun, 02 Dec 2012 09:01:35 GMT
CPAN: Module::CoreList loaded ok (v2.76)
DateTime is up to date (0.78).
Date::Manip is up to date (6.37).
XML::LibXML is up to date (2.0012).
Carp::Assert is up to date (0.20).
Digest::CRC is up to date (0.18).
Data::Hexify is up to date (1.00).
Image::ExifTool is up to date (9.04).
File::Mork is up to date (0.3).
DateTime::Format::Strptime is up to date (1.52).
Parse::Win32Registry is up to date (1.0).
HTML::Scrubber is up to date (0.09).
Mac::PropertyList is up to date (1.38).
XML::Entities is up to date (1.0001).


Download log2timeline_0.65 from http://code.google.com/p/log2timeline/ and extract it.

Once its extracted, cd into the log2timeline_0.65 directory that was just created and delete the file lib/Log2t/input/pcap.pm

Create a file named install.bat in the log2timeline_0.65 directory and put the following commands in it:

xcopy /S lib\Parse\* c:\strawberry\perl\lib\Parse\
mkdir c:\strawberry\perl\lib\Log2t
xCopy /s lib\Log2t\* c:\strawberry\perl\lib\Log2t\
Copy lib\Log2Timeline.pm c:\strawberry\perl\lib\Log2Timeline.pm
Copy log2timeline c:\strawberry\perl\site\bin\log2timeline.pl
Copy l2t_process_old c:\strawberry\perl\site\bin\l2t_process.pl
Copy timescanner c:\strawberry\perl\site\bin\timescanner.pl

Run the install.bat you just created from inside your log2timeline_065 directory.

Once its finished you should have a working copy of log2timeline on your Windows system.

You can now just run "log2timeline.pl" from a command prompt and feed it some date, for instance Evidence files collected from TriageIR.

See the following for basic instruction on using Rob Lee's Color Excel Template for analyzing your timeline.

http://computer-forensics.sans.org/blog/2012/01/25/digital-forensic-sifting-colorized-super-timeline-template-for-log2timeline-output-files



No comments:

Post a Comment