Log2Timeline Tutorial

Forensic Labs
7 min readMar 5, 2018

--

Log2Timeline is a tool for generating forensic timelines from digital evidence, such as disk images or event logs.

We’ve built a platform to automate incident response and forensics in cloud environments like AWS/Azure/GCP— you can grab a free trial here. You can also download a free playbook we’ve written on how to respond to security incidents in AWS.

Installing Log2Timeline from source-code

You can download the Python source code for Log2Timeline from:

https://github.com/log2timeline/plaso
(Click Download zip or clone with Git)

Then install the required Python Libraries with:

  • pip install -r requirements.txt

You can download Python from https://www.python.org/downloads

One of the required libraries (pylzma) can have issues running on Windows, so you may need to run the compiled binaries (below) instead.

Alternatively to running straight from the source-code, there are a number of precompiled binaries available:

Installing Log2Timeline on Ubuntu

Run:

sudo apt-get update
sudo apt-get install python-plaso plaso-tools

See more at https://github.com/log2timeline/plaso/wiki/Ubuntu-Packaged-Release

Installing Log2Timeline on Fedora

Run:

sudo dnf install dnf-plugins-core
sudo dnf copr enable
@gift/stable
sudo apt-get install python-plaso plaso-tools

See more at https://github.com/log2timeline/plaso/wiki/Fedora-Core-Packaged-Release

Installing Log2Timeline on Mac OS X
Download the latest .dmg file from:
https://github.com/log2timeline/plaso/releases

Then run install.sh in the terminal

Installing Log2Timeline on Windows
On Windows, it’s easiest to use the precompiled .exe files available at:
https://github.com/log2timeline/plaso/releases

About Log2Timeline

Formerly log2timline was a single perl script — now it is a more stable Python library.
At it’s core it consists of:

  • plaso.py — which turns evidence files into a standardised timeline format
  • log2timeline.py — which turns the generated timeline into a readable output format — such as a CSV file

Generating a Log2Timeline Body File
The following command will generate a timeline file (timeline.plaso) from a disk image (drive.e01):
log2timeline timeline.plaso drive.e01
Or the same command when run from python:
python log2timeline.py timeline.plaso drive.e01

Outputting a Log2Timeline

The most common format for outputting a Log2Timeline is a CSV file, but there are many to choose from:

l2tcsv : CSV format used by legacy log2timeline, with 17 fixed fields.
xlsx : Excel Spreadsheet (XLSX) output
l2ttln : Extended TLN 7 field | delimited output.
4n6time_sqlite : Saves the data in a SQLite database, used by the tool 4n6time.
kml : Saves events with geography data into a KML format.
dynamic : Dynamic selection of fields for a separated value output
format.
rawpy : “raw” (or native) Python output.
json : Saves the events into a JSON format.
null : Output module that does not output anything.
tln : TLN 5 field | delimited output.
json_line : Saves the events into a JSON line format.

(Table taken from Log2Timeline)

Log2Timeline Cheatsheet
There is a great cheatsheet available from SANS at https://digital-forensics.sans.org/media/log2timeline_cheatsheet.pdf

Is Log2Timeline Slow ?
Parsing large evidence files is a computationally exhaustive process.
Earlier Perl versions of Log2Timeline suffered from known memory leaks, but these have been fixed some time ago.

Beyond running on a high a specification machine as possible, consider splitting Log2Timeline tasks to run across a number of machines.
If you’re leaving Log2Timeline running over a weekend — strongly consider the possibility that it will crash.
If you’re running multiple instances, atleast you won’t lose all the processing.

Log2Timeline and Timezones

By default Log2Timeline will output times in the UTC timezone. It’s probably easiest to stick to UTC for consistency, but if you need to set a specific timezone can you can so with the -z option, for example:

-z UTC

Log2Timeline Parsers

Parsers include:

amcache : Parser for Amcache Registry entries.
android_app_usage : Parser for Android usage-history.xml files.
asl_log : Parser for ASL log files.
bash : Parser for Bash history files
bencode : Parser for bencoded files.
binary_cookies : Parser for Safari Binary Cookie files.
bsm_log : Parser for BSM log files.
chrome_cache : Parser for Chrome Cache files.
chrome_preferences : Parser for Chrome Preferences files.
cups_ipp : Parser for CUPS IPP files.
custom_destinations : Parser for *.customDestinations-ms files.
dockerjson : Parser for JSON Docker files.
dpkg : Parser for Debian dpkg.log files.
esedb : Parser for Extensible Storage Engine (ESE) database
files.
filestat : Parser for file system stat information.
firefox_cache : Parser for Firefox Cache version 1 files (Firefox 31 or
earlier).
firefox_cache2 : Parser for Firefox Cache version 2 files (Firefox 32 or
later).
fsevents : Parser for fseventsd files.
gdrive_synclog : Parser for Google Drive Sync log files.
java_idx : Parser for Java WebStart Cache IDX files.
lnk : Parser for Windows Shortcut (LNK) files.
mac_appfirewall_log : Parser for appfirewall.log files.
mac_keychain : Parser for MacOS Keychain files.
mac_securityd : Parser for MacOS securityd log files.
mactime : Parser for SleuthKit version 3 bodyfiles.
macwifi : Parser for MacOS wifi.log files.
mcafee_protection : Parser for McAfee AV Access Protection log files.
mft : Parser for NTFS $MFT metadata files.
msiecf : Parser for MSIE Cache Files (MSIECF) also known as
index.dat.
olecf : Parser for OLE Compound Files (OLECF).
openxml : Parser for OpenXML (OXML) files.
opera_global : Parser for Opera global_history.dat files.
opera_typed_history : Parser for Opera typed_history.xml files.
pe : Parser for Portable Executable (PE) files.
plist : Parser for binary and text plist files.
pls_recall : Parser for PL/SQL Recall files.
popularity_contest : Parser for popularity contest log files.
prefetch : Parser for Windows Prefetch files.
recycle_bin : Parser for Windows $Recycle.Bin $I files.
recycle_bin_info2 : Parser for Windows Recycler INFO2 files.
rplog : Parser for Windows Restore Point (rp.log) files.
sccm : Parser for SCCM logs files.
selinux : Parser for SELinux audit.log files.
skydrive_log : Parser for OneDrive (or SkyDrive) log files.
skydrive_log_old : Parser for OneDrive (or SkyDrive) old log files.
sophos_av : Parser for Anti-Virus log (SAV.txt) files.
sqlite : Parser for SQLite database files.
symantec_scanlog : Parser for Symantec Anti-Virus log files.
syslog : Syslog Parser
usnjrnl : Parser for NTFS USN change journal ($UsnJrnl).
utmp : Parser for Linux/Unix UTMP files.
utmpx : Parser for UTMPX files.
winevt : Parser for Windows EventLog (EVT) files.
winevtx : Parser for Windows XML EventLog (EVTX) files.
winfirewall : Parser for Windows Firewall Log files.
winiis : Parser for Microsoft IIS log files.
winjob : Parser for Windows Scheduled Task job (or At-job) files.
winreg : Parser for Windows NT Registry (REGF) files.
xchatlog : Parser for XChat log files.
xchatscrollback : Parser for XChat scrollback log files.
zsh_extended_history : Parser for ZSH extended history files
airport : Parser for Airport plist files.
android_calls : Parser for Android calls SQLite
database files.
android_sms : Parser for Android text messages SQLite
database files.
android_webview : Parser for Android WebView databases
android_webviewcache : Parser for Android WebViewCache
databases
appcompatcache : Parser for Application Compatibility
Cache Registry data.
apple_id : Parser for Apple account information
plist files.
appusage : Parser for MacOS application usage
SQLite database files.
bagmru : Parser for BagMRU Registry data.
bencode_transmission : Parser for Transmission bencoded files.
bencode_utorrent : Parser for uTorrent bencoded files.
ccleaner : Parser for CCleaner Registry data.
chrome_27_history : Parser for Google Chrome 27–63
history SQLite database files.
chrome_8_history : Parser for Google Chrome 8–25 history
SQLite database files.
chrome_cookies : Parser for Chrome cookies SQLite
database files.
chrome_extension_activity : Parser for Chrome extension activity
SQLite database files.
cron : Parser for syslog cron messages.
explorer_mountpoints2 : Parser for mount points Registry data.
explorer_programscache : Parser for Explorer ProgramsCache
Registry data.
file_history : Parser for File History ESE database
files.
firefox_cookies : Parser for Firefox cookies SQLite
database files.
firefox_downloads : Parser for Firefox downloads SQLite
database files.
firefox_history : Parser for Firefox history SQLite
database files.
google_drive : Parser for Google Drive SQLite database
files.
imessage : Parser for the iMessage and SMS SQLite
databases on OSX and iOS.
ipod_device : Parser for iPod, iPad and iPhone plist
files.
kik_messenger : Parser for iOS Kik messenger SQLite
database files.
ls_quarantine : Parser for LS quarantine events SQLite
database files.
mac_document_versions : Parser for document revisions SQLite
database files.
mackeeper_cache : Parser for MacKeeper Cache SQLite
database files.
macosx_bluetooth : Parser for Bluetooth plist files.
macosx_install_history : Parser for installation history plist
files.
macuser : Parser for MacOS user plist files.
maxos_software_update : Parser for MacOS software update plist
files.
microsoft_office_mru : Parser for Microsoft Office MRU
Registry data.
microsoft_outlook_mru : Parser for Microsoft Outlook search MRU
Registry data.
mrulist_shell_item_list : Parser for Most Recently Used (MRU)
Registry data.
mrulist_string : Parser for Most Recently Used (MRU)
Registry data.
mrulistex_shell_item_list : Parser for Most Recently Used (MRU)
Registry data.
mrulistex_string : Parser for Most Recently Used (MRU)
Registry data.
mrulistex_string_and_shell_item : Parser for Most Recently Used (MRU)
Registry data.
mrulistex_string_and_shell_item_list : Parser for Most Recently Used (MRU)
Registry data.
msie_webcache : Parser for MSIE WebCache ESE database
files.
msie_zone : Parser for Internet Explorer zone
settings Registry data.
mstsc_rdp : Parser for Terminal Server Client
Connection Registry data.
mstsc_rdp_mru : Parser for Terminal Server Client MRU
Registry data.
network_drives : Parser for Network Registry data.
olecf_automatic_destinations : Parser for *.automaticDestinations-ms
OLECF files.
olecf_default : Parser for a generic OLECF item.
olecf_document_summary : Parser for a DocumentSummaryInformation
OLECF stream.
olecf_summary : Parser for a SummaryInformation OLECF
stream.
plist_default : Parser for plist files.
safari_history : Parser for Safari history plist files.
skype : Parser for Skype SQLite database files.
spotlight : Parser for Spotlight plist files.
spotlight_volume : Parser for Spotlight volume
configuration plist files.
srum : Parser for System Resource Usage
Monitor (SRUM) ESE database files.
ssh : Parser for SSH syslog entries.
time_machine : Parser for TimeMachine plist files.
twitter_ios : Parser for Twitter on iOS 8+ database
userassist : Parser for User Assist Registry data.
windows_boot_execute : Parser for Boot Execution Registry data.
windows_boot_verify : Parser for Boot Verification Registry
data.
windows_run : Parser for run and run once Registry
data.
windows_sam_users : Parser for SAM Users and Names Registry
keys.
windows_services : Parser for services and drivers
Registry data.
windows_shutdown : Parser for ShutdownTime Registry value.
windows_task_cache : Parser for Task Scheduler cache
Registry data.
windows_timezone : Parser for Windows timezone settings.
windows_typed_urls : Parser for Explorer typed URLs Registry
data.
windows_usb_devices : Parser for USB device Registry entries.
windows_usbstor_devices : Parser for USB Plug And Play Manager
USBStor Registry Key.
windows_version : Parser for Windows version Registry
data.
winlogon : Parser for winlogon Registry data.
winrar_mru : Parser for WinRAR History Registry data.
winreg_default : Parser for Registry data.
zeitgeist : Parser for Zeitgeist activity SQLite
database files.

(Taken from log2timeline.py)

Supported file extensions include:

asl, bsm, bz2, conf, csv, DAT, db, db-wal, dd, doc, docx, E01, E02, edb, Evt, evtx, exe, gz, hve, idx, job, jpg, keychain, lnk, Log, pcap, pf, plaso, plist, qcow2, raw, rules, sql, sqlite, sys, tar, tgz, txt, tzif, vhd, vmdk, xml, zip

We’ve created a new tool to automate investigating and responding to security incidents in AWS and Azure — you can get a free trial here.

--

--

No responses yet