I have not covered this before, so I will digress a bit into Perl and getting Perl scripts to run on your local machine. If you don’t have Active Perl installed, get it. It’s extremely useful and necessary if you want to run any sort of Perl scripts on your local machine.
Perl scripts have these things called Perl Modules or .pm files. They are sort of like dlls in that they are “chunks” of code which can be used over and over by different scripts instead of the developer having to rewrite that specific function. When you are going to run a new Perl script for the first time, you need to open the script in some sort of text editor and see which .pms the script is going to need. In the screenshot below, I just used the *nix command “more” to look at the first section of the script. Which reminds me, if you don’t have UnxUtils installed on your Windows box, you probably want to get that as well. It contains the Windows version of a slew of *nix commands that are again, extremely useful.
Here is the section of the code you want to look for…
If you don’t have these modules installed, there are a couple of ways to get them. First, you can use the command, “ppm” which stands for “Perl Package Manager” followed by the module name. So if say you wanted to add the “Time::localtime” module, your command would look like this…
C:\tools> ppm install Time::localtime
There are other times when you want to install the module from a specific URL. For example, the University of Winnippeg in Canada has a great site for installing different modules. In that case, your command would look like this…
C:\tools> ppm install http://cpan.uwinnipeg.ca/PPMPackages/10xx/
Once you have all of the Perl modules and dlls you will need to run your script, y
Something else you will probably want to do (for conve
Download log2timeline and uncompress it into its own directory…I put mine inside my C:\tools directory creating a directory called, “log2timeline”. From the command line, you
So, for my example, I am going to parse my local Mozilla Firefox history file into bodyfile format. To accomplish this and for ease of use, I copied the file into my current working directory. This is not necessary though. I could simply provide the full path to the file. So, my command would simply be…
Now, to make this part of our timeline, all we would need to do is redirect the output to our bodyfile, and parse it with mactime…like so…
C:\tools\log2timeline> perl log2timeline –f firefox3 places.sqlite > bodyfile3
And…when I open up the timeline with MS Excel, it looks like this…
Now if you come across a type of log file that is not currently supported, don’t worry. Since this is an open source script, feel free to write your own module for that specific type of log file. Or, if your Perl skillz are a bit lacking, you could contact Kristinn, and I bet he would write it for you (no promises).
So step back for a second and think about what I have covered in these last three posts on creating timelines. Using FLS, you can create a timeline of the meta data timestamps of the active file system. Then, using regtime.pl (a la Harlan Carvey), you can extract the last write times from the registry hive files, and include them in your timeline. Now add in log2timline, and you can now add in all of the local system and application logs. What you will have at the end is what Rob Lee calls, a “Super Timeline” that pretty much encompasses everything that has taken place on the machine that has been recorded by these various mechanisms. You can now search by date , or time, or application, or keyword, or whatever and get a quick snapshot of what was going on at that time, or with that application.
This is a HUGE development in our profession! Not only will this add speed and efficiency into your investigations, but it will provide multiple additional data points that will either help you solidify your working theory, or will provide the additional resources you will need to reshape your theory to fit the data. Pretty sweet huh!
So, now you may be saying to yourself…This is so great Chris! I want to buy you dinner! But determining which logs to include in my log2timeline commands is kind of a pain. And I have to hit up arrow like 17 times and change the type of log and the path. What would be really kewl is if there was some sort of tool that would search for me. It would take a path as input, then it would search for all of the log files supported by log2timeline, and parse those into my bodyfile. Well…I have some good news for you…there is just such a tool! It’s called, “Timescanner” and I will cover it in my next post!
No comments:
Post a Comment