Timeline Creation and Analysis Guides
Written by Chapin Bryce
Researched by Chapin Bryce
175 Lakeside Ave, Room 300A
Phone: 802/865-5744
Fax: 802/865-6446
http://www.lcdi.champlin.edu
Disclaimer:
This document contains information based on research that has been gathered by employee(s) of The Senator Patrick Leahy Center for Digital Investigation (LCDI). The data contained in this project is submitted voluntarily and is unaudited. Every effort has been made by LCDI to assure the accuracy and reliability of the data contained in this report. However, LCDI nor any of our employees make no representation, warranty or guarantee in connection with this report and hereby expressly disclaims any liability or responsibility for loss or damage resulting from use of this data. Information in this report can be downloaded and redistributed by any person or persons. Any redistribution must maintain the LCDI logo and any references from this report must be properly annotated.
1 Introduction
1.1 How to use this guide
This document has 5 guides that provide information about timeline creation and analysis for several different tools and platforms. Navigate to the desired guide via the table of contents. Since the tools each have a different set of strengths, sections 1.2 through 1.6 evaluate the different options and use cases for timeline generation. For most situations involving heavy use of timeline analysis, Log2Timeline is going to be the best fit for the situation, since the tools was designed for the specific task of timeline generation.
1.2 Overview of EnCase
EnCase is a popular industry tool that is used for a lot of investigations. Timeline creation with EnCase is useful if your case is already loaded into and processed by the tool. Especially when timelines are lightly used within the case, the EnCase timeline feature is the best option.
1.3 Overview of Forensic Tool Kit
AccessData’s Forensic Tool Kit (FTK) provides another industry method for case analysis. Though FTK does not has a timeline view, like EnCase, it can be more difficult to seamlessly integrate the timeline data from FTK. Once again, FTK is best suited for use when timeline analysis is not the main focus, but a secondary component in the investigation since it requires additional processing.
1.4 Overview of Log2Timeline
Log2Timeline is an open source command line tool created by Kristenn Gudjonsson. Log2Timeline has become known for its ability to efficiently and accurately provide timeline information for mounted logical devices, while operating at the partition level. Log2Timeline is written in Perl, and it works by reading through a filesystem and outputting the metadata in a report format (.csv by default). The outputted report provides the date, time, date/time type, module used, and file location of the data on the partition. Log2Timeline is capable of scanning through folders and directories individually or an entire mounted partition at once. Please note that since these partitions must be mounted (as read-only for data integrity purposes), the host machine determines which file systems Log2Timeline is capable of parsing through.
1.4.1 Log2Timeline Modules
Log2Timeline is a framework that comes with a series of modules for examiners to use to extract specific information from a device. This includes clusters of modules for Linux, Macintosh, Windows 7, Windows XP, and Windows Server. In addition the module clusters, Log2Timeline also includes task specific modules, such as web history, and options for running the tool against images without registry information. For a complete list of modules, see Figure 1. These modules can be run individually, or if a cluster is selected, it will run the modules within the cluster. The modules ability of Log2Timeline makes it flexible for case work and allows the user to select the scope that Log2Timeline runs.
1.4.2 Log2Timeline Time zones
In addition to the range of available modules that Log2Timeline can run, it supports 555 different time zone options covering a large number of cities as well as every continental time zone. Log2Timeline has an extensive list of redundant time zones to ensure that daylight savings time is included/excluded based on the region also. For a complete list of time zones, run log2timeline –z list in the command prompt.
1.4.3 Log2Timeline Output
Log2Timeline supports multiple output formats for the data retrieved and parsed from the target source. The default output is CSV (Comma Separated Values), which can be opened in Microsoft Excel or any other worksheet application. CSV is a universal format and is simple for many applications to interpret and display. In addition to the default CSV format is the Mactime format. The Mactime format is closely focused on UNIX file systems, so it would not provide some information for Windows file systems (such as inode information) because the two file systems use different organizational structures. This format is used by Sleuth Kit (TSK), which outputs Date, Time, Size of file, Record Type, UNIX Permissions, User ID, Group ID, inode (for UNIX systems), and filename1. Mactime is stored as a bodyfile format and is encoded in plain text.
Figure 1
1.4.4 Other Log2Timeline Options
Log2Timeline allows the standard output (STDOUT), the information displayed in the command/terminal window, to be saved as a text file for later review. The –log file/path/to/log.txt option allows you to export essential information regarding errors encountered, the run modules, start and end time, timezone selected, and output module selected to a log file. This information is worth saving, making the -log option a necessity in running the command. Another useful option is the –r option, which tells Log2Timeline to run recursively across the source directory. This is useful when running across an entire partition or all of the subfolders within the source directory. When the recursive option is selected, the preprocessing option, -p, should be run to allow Log2Timeline to parse information from the source for use with some of the modules.
With the versatility to run across multiple platforms and the options to generate timelines for sources with a variety of time zones and operating systems, the Log2Timeline framework is the cornerstone of forensic timeline creation. What makes this framework so incredibly popular and widely known is its integration with different forensic platforms such as SIFT and TAPEWORM.
1.5 Log2Timeline in SIFT
SIFT is a preconfigured virtual machine appliance developed, managed, and released by SANS Forensics. SANS Investigative Forensic Toolkit (SIFT) is a suite of preinstalled open source forensic tools, allowing investigators to download a prebuilt virtual machine (VM) they can run and use for analysis of a case. SIFT prevents investigators from facing tedious installation and configuration of open source tools. This VM includes the Log2Timeline framework as well as a custom version of Log2Timeline that can be run from the terminal within SIFT to further simplify the timeline creation process.
1.5.1 Preparing Sources for Log2Timeline in SIFT
Forensic acquisitions use a variety of file types and extensions. The DD, also known as RAW, format saves a bit for bit copy of the drive as a file. This format does not support compression or encryption. This format can also be interpreted by the Linux mount command, used in SIFT, to mount acquired exhibits as virtual read-only partitions.
Since DD images do not support compression or encryption, the E01 format is commonly used to provide both compression and encryption
2 Timeline Creation and Analysis with EnCase 6.19 and 7.04
2.1 Timeline Analysis with EnCase 6.19
EnCase offers a built-in timeline feature capable of beginning a timeline analysis from the case file already loaded into the software. This easy-to-use timeline feature can either be used as a method to initially focus on a known date and time or to narrow results using a date and time window.
To begin timeline analysis with EnCase 6.19, a case must be created or opened and evidence must be added to it (see Figure 1).
Figure 2 – Creating a Case in EnCase 6.19
Once evidence is added into EnCase, and the software is done parsing the MFT (Master File Table) and other pre-processing requirements, the timeline feature can be used. By green plating an evidence file (whether it is an entire case, partition, folder, or uncompressed compound file), all of the entries within the evidence file will be displayed. Then, after selecting the “Timeline” view from the right pane, the program will display a graphical representation of the drive in relation to the calendar displayed (See Figure 2).
Figure 3 – Timeline Year View in Encase 6.19
To change the focus, a user can zoom in on the data in a specific range by double clicking on a cell. The right click menu can be used to zoom in and out as well. The focus ranges from a year view (Figure 2) to a minute view (Figure 3), and the focus can also be modified using the options menu and adjusting the resolution (See Figure 4).
Figure 4 – Timeline Minute View in EnCase 6.19
Figure 5 – Adjusting the Timeline Resolution in Encase 6.19
EnCase 6.19 does not have a native timeline exporting tool comparable to Log2Timeline. EnCase is intended for case analysis while Log2Timeline is designed as a preprocessing platform. EnCase excels at case analysis, however, and has the ability to mount files in the case so that each one is revealed. This allows each file to be individually identified and processed, a feature missing from Log2Timeline.
2.2 Timeline Analysis with EnCase 7.04
EnCase 7.04 is a newer version of Guidance Software’s forensic tool suite with an added graphic interface upgrade, along with a number of other usability modifications. The Timeline feature was improved through the major version update, and this new version offers more usability than EnCase 6.19.
As with EnCase 6.19, a case needs to be created and evidence must be added before the timeline feature can be utilized. Once the evidence is added, it is good practice to run the file mounter option in the case processor, to ensure that all files within compound files are expanded and accurately represented by the EnCase timeline.
Similar to EnCase 6.19, a green plated evidence file can be viewed by the timeline tab within the evidence pane. Within the Timeline tab, there are buttons to increase/decrease the timeline resolution, making it more convenient to use the timeline feature within EnCase.
Figure 6 – Updated Resolution Buttons
Similarly to EnCase 6.19, EnCase 7.04 does not offer a timeline exporting tool similar to Log2Timeline, though EnCase 7.04 is meant for case analysis not preprocessing as Log2Timeline is. However, it should be noted that Encase 6.19 and 7.04 both support EnScripts, which can use the EnCase platform to create an exported timeline similar to Log2Timeline.
2.3 Timeline Analysis with Geoff Black’s Timeline EnScript
EnCase 6.19 and 7.04 both contain timeline functionality, although it is only available for use within the program and without an easy timeline exporting tool, such as with Log2Timeline. The EnScripting feature of EnCase allows for EnScripts to be written for creating additional functionality. Geoff Black created a Timeline EnScript that uses the evidence loaded into an opened case, using EnCase as the source for creating timelines. His script may be downloaded at: GeoffBlack’s Timeline EnScript. This file must be unzipped and placed within the EnCase installation directory in the EnScript folder.
To create a timeline using this EnScript, the target evidence must be loaded into a case in EnCase (see Figure 1). Once loaded in, it is best practice to always run the file mounter EnScript, to ensure all of the compound files can be accurately represented. For the EnScript, use the blue checking to select which files should be included in the exported timeline. Once the files are selected, open the Timeline Report EnScript within the EnScript pane of EnCase, and the option window will appear (see Figure 6). In this window, a series of options can be selected for creating a timeline (see Figure 6).
Figure 7 – EnCase Timeline Report EnScript
Figure 8 – Run Notes from EnScript
The script ran quickly and took roughly nine seconds to process the entire partition [See Figure 7]. While faster than Log2Timeline, the time to create the case and set it up should be accounted for as well. This timeline created by EnScript will contain more data than its log2timeline counterpart, as it has expanded compound files, but it also creates additional entries due to its structure. The exported TSV document of the timeline is shown in Figure 8, and the HTML output is show in Figure 9.
Figure 9 – CSV EnScript Output
Figure 10 – HTML EnScript Output
The HTML outputs are split into multiple files and are sorted by Firefox (FF) and Internet Explorer (IE) file types. Each file is split when it is around 11 MB in size. It appears that the TSV file does not split, although it was only tested at 15MB.
3 Timeline Creation and Analysis with Forensic Tool Kit 4
3.1 Timeline Analysis with Forensic Tool Kit 4
AccessData’s Forensic Tool Kit (FTK) is a case analysis tool. To use FTK for timeline analysis, the preprocessing options (displayed when adding evidence to the case) must be used. Unlike EnCase, FTK does not have a built-in feature to display timeline information. To create a timeline report for viewing, a case must first be created [See Figure 1].
Figure 11
Once the new case is opened, evidence must be added to the case [See Figure 2]. FTK is built to handle multiple partitions and file system types, including HFS+, EXT4, NTFS, and FAT partitions, all found in the FIRE image used for this guide.
Figure 12
Once evidence is added to the case, selecting the refinement options allows the desired processing options to run. To create a timeline in FTK, remember to select the HTML and/or CSV file listing options from the evidence processing window [See Figure 3]. These options tell FTK to create a list of files in HTML/CSV format, including the path, file name, MAC timestamps, and MD5, among others. This is the only feature allowing for timeline analysis of the drive, so be extra diligent in selecting them while processing the case.
Figure 13
Figure 14
Running the preprocessing with this many options selected can be time consuming and can also cause FTK to consume a large number of computer resources while it runs. Once the task is complete, navigate to the job folder or select the job folder button on the data processing window [See Figure 4]. Within the case directory are the HTML/CSV file listings generated by FTK [See Figure 5].
Figure 15
The CSV report can be opened with Microsoft Excel and formatted as desired [See Figure 6].
Figure 16
The HTML document can be opened with any web browser [See Figure 7].
Figure 17
It is important to note that both report types contain file names & attributes, such as MD5 and logical sizes, along with created/modified/accessed dates for each entry found within the FTK 4.1 case for the evidence.
4 Timeline Creation and Analysis with Log2Timeline in SIFT 2.14
4.1 Configuring SIFT for Log2Timeline
SIFT 2.14 can be downloaded after registering for an account. A custom download link will be made available, and the .zip file containing the preconfigured virtual appliance can be downloaded at that point. Once the download is completed and the files are extracted from the archive, the virtual machine (VM) can be opened in VMWare, or another virtualization product. See Figure 1 for an example of SIFT opened in VMWare Workstation 9.
Figure 18 – SIFT VM unzipped and ready for use
The minimum specifications are preconfigured into this VM( Figure 1), but can be altered if more memory or processing is available. Figure 2 shows increased allocations for the SIFT VM.
Figure 19 – Configuring the Virtual Machine
Additionally, you can adjust the virtual machine settings to enable shared folders between the host and guest machines. This allows for the virtual machine to read exhibits from the host machine and to export the output to the host computer. How to enable this feature is shown in Figure 3.
Figure 20 – Enable Shared Folders
With shared folders enabled, the virtual machine can be powered on, and SIFT is ready for use on the workstation. The login screen will appear, prompting for the password (forensics) before granting access (see Figure 4).
Figure 21 – SIFT 2.14 login window
4.2 Preparing Exhibits for Log2Timeline in SIFT
Once a user is logged in, SIFT’s desktop appears and presents a terminal window. Since the shared folders have been enabled before startup, the exhibits saved on the local machine are accessible via the virtual machine, with the opposite being true as well. Exhibits can be acquired in a few different formats, including E01 and DD (Raw). There are a number of different methods for readying these acquisitions for use. Since the acquisition is a block file, it has to be mounted so the data inside of it can be read as a block deviceFigure 5). The E01 (EnCase evidence file) format is extremely popular, as it allows for compression, encryption, and is compatible with most forensic tools. To convert the E01 for use in SIFT the ewfmount command must be run. This command will convert the source E01 file (VMware-Shared-Drive/Host-Drive/FIRE04192013/FIRE-041913.E01) to a mount point where it can be interpreted as an uncompressed block file (mount_points/ewf).
Figure 22 – Using ewfmount to prepare the E01 file for use with Log2Timeline
If the exhibit is Microsoft Windows only, skip to the next section to the section about log2timline-sift which is Windows only. Drives with partitions other than NTFS (Microsoft Windows) need further processing before use with Log2Timeline. To ensure that Macintosh or Linux partitions are completely processed, they must be fully mounted. Once the ewfmount command is run, the individual partitions must be mounted from the newly converted block file. SIFT also has the mmls utility bundle, llowing for partition structures to be viewed.
Figure 23 – MMLS partition table listing
Another command that provides essential information when preparing the block file to be mounted is the parted framework. This framework allows the partition information to be read from a block file. Parted shows information regarding the specific file systems in place on the block file as well as byte information, as opposed to sector information provided my mmls (Figure 7).
Figure 24 – Linux Parted command providing more partition information
To convert the sector offsets listed by mmls to the byte offset needed for the mount command, the starting sector should be multiplied by the Bytes per sector (See Table 1 for an example conversion).
Table 1 – Converting mmls sector offset to byte offset.
Now that the partitions within the block file have been identified, they can be individually mounted. Using the Linux mount command, the Windows partition is mounted to a pre-made directory illustrated in Figure 8.
Figure 25 – Mounting the Windows partition with the Linux mount command
This same mount process can be repeated for the offsets provided by the mmls conversions (Figure 9 shows Linux mounting only).
Figure 26 – Mounting Linux partition with the Linux Mount Command.
Once the partitions are mounted, SIFT is able to run Log2Timeline against the exhibit. Skip to the section Running Log2Timeline to create a timeline from the new mount point.
4.3 Running Log2Timeline-SIFT
SIFT has created a custom version of Log2Timeline with the command log2timeline-sift, easing the process of mounting the exhibit and running the command against a Windows only partition. This automation selects the default options for log2timeline and begins processing. Figure 10 is a capture of the command used to run log2timeline-sift against the exhibit. Note the command needs the timezone (-z) and image mount point (-i) from the ewfmount step (if the image was in a DD/raw format, select that file for use with log2timeline-sift).
Figure 27 – Using log2timeline-sift to create a timeline for the Windows partition.
When the command is complete, the output is placed in the “cases” directory on the SIFT desktop. From here, the CSV file can be copied onto the host machine and opened with Microsoft Excel. Once the file is opened in Excel, the columns must be delimited, as Excel does not automatically parse the information into columns (See Figure 11). If it parses correctly, it will look similar to the worksheet shown in Figure 12.
Figure 28 – Delimiting CSV document in Excel
Figure 29 – Log2Timeline-SIFT output in Excel
4.4 Running Log2Timeline for Linux and Macintosh Partitions
The log2timeline-sift command automates actions for timeline creation with Windows partitions in SIFT. To create a timeline with log2timeline against other partition types, such as Linux and Macintosh, log2timeline has to be run manually. Please refer to the section on mounting for information on how to mount and prepare evidence for use with log2timeline.
4.4.1 Running Log2Timeline on a Linux Exhibit
After the image has been mounted correctly and the partition has its own mount point, the time zone of the Linux partition should be verified. To do this, run the command less (directory path to linux) /etc timezone as seen in Figure 13. The less command allows a file to be previewed in the command window. To exit the less windows press q.
Figure 30 – Previewing the Time Zone Set for the Linux Partition
Once the command is run, the timezone stored in the /etc timezone system file of the partition will be displayed and log2timeline can be run. The command to run log2timeline is log2timeline –z [exhibit time zone] –f [selected modules] –o [output format] –v –log [logfile output location] –r –p [Evidence/exhibit mount point location] (Figure 14).
Figure 31 – Running Log2Timeline Manually Against Linux Partition
4.4.2 Running Log2Timeline on a Macintosh Exhibit
With Linux, most system information is stored in plain text, such as the timezone file referenced above. For Macintosh OSX, the timezone, along with other system information, is stored in a .plist (property list) file. Plist files are either XML or binary format, and they act similarly to the registry. The timezone information is saved in binary format on the Macintosh OSX in the GlobalPreference.plist. Plist files aremore difficult for most text editors to interpret, despite the key information being in plain text. To read the information from the plist file, use the command less [path to mount point] Library Preferences .GlobalPreferences.plist (Figure 15).
Figure 32 – Previewing the Time Zone Set for the Macintosh Partition
The text highlighted in Figure 16 suggests the timezone is America/New_York, known as EST5EDT in log2timeline.
Figure 33 – Previewing a Binary Plist File with Time Zone Information
After determining the time zone information from the Macintosh partition, follow the steps outlined for creating a timeline for Linux (Figure 14).
5 Timeline Creation and Analysis with Log2Timeline in Windows 7 & 8
5.1 Log2Timeline with Windows 7
5.1.1 Configuring Log2Timeline with Windows 7
Windows 7 is a popular desktop environment, and most forensic tools are built to run natively on the Windows platform, including Log2Timeline, which is cross platform. To install Log2Timeline on Windows, the ActiveState Perl framework, log2timeline framework, and two additional libraries (Library 1, Library 2) have to be downloaded and unzipped. Once all of these are downloaded and unzipped, and ActiveState Perl is installed, launch the Perl Package Manager (PPM) to download the Perl dependencies (See Figure 1). Each bullet point below is a different dependency that must be installed for Log2Timeline to run properly. Install each package by searching for the package name, right clicking, and selecting “Install.”
• datetime
• win32::api
• date::manip
• xml::libxml
• carp::assert
• digest::crc
• data::hexify
• image::exiftool
• file::mork
• datetime::format::strptime
• parse::win32registry
• html::scrubber
Figure 34 – PPM Package Manager
Copy the entire directory of XML-Entities lib XML folder into the Perl installation/lib/XML directory. After you have copied this, create a folder within the Perl installation lib directory named Mac. Copy the files from the Mac-Properties lib directory into the newly created Mac folder next. Then you can follow the steps outlined in Table 1.
1. Inside the log2timeline directory
a. Delete the file lib/Log2t/input/pcap.pm
b. Copy the content of the lib/Parse/* to c:/perl/lib/Parse/
c. Copy the content of the folder lib/Log2t to c:/perl/lib/Log2t/*
d. Copy lib/Log2Timeline.pm to c:/perl/lib/
e. Copy log2timeline to c:/perl/bin/log2timeline.pl
f. Copy l2t_process to c:/perl/bin/l2t_process.pl
g. Copy timescanner to c:/perl/bin/timescanner.pl
Table 2
After completing the installation, the acquired image must be mounted. To do this, use FTK Imager to open the E01 file (in this example it is FIRE-041913.E01). Right click on the image and select “Image Mounting…” from the context menu.
Then select the “Physical & Logical” mount type and assign a drive letter using the “Block Device/Read Only” mount method (See Figure 2). Clicking mount will now virtually mount each partition of the E01 as a drive, allowing Log2Timeline to parse through the partitions.
Figure 35 – Mounting the Image for Log2Timeline Processing
5.1.2 Running Log2Timeline on Windows 7
When the previous process is completed, the log2timeline process can be run by opening the command prompt in the C: Perl bin directory. Holding shift, then right click and select “open command window here” from the context menu.
At this point, type perl log2timeline –f win7 –z EST5EDT –o csv –log E: path to-log-file.txt –w: E:-path-to-output-file.csv –r –p M:- where drive M: is the target to scan. This will generate the log text file and the output csv file in the directory selected (see Figure 3).
Figure 36 – Command used to create timeline
Figure 37 – Output files and locations
the test image contained 3 partitions, and the run above run was only for the Windows 7 partition. Windows 7 only recognizes the NTFS, exFAT, and FAT file systems. Since FTK virtually mounts as a drive on Windows, Windows does not mount the drives as usable. Windows 7 Is not able to interpret data on EXT or HFS+ file systems, preventing the Macintosh and Linux partitions from being mounted.
5.2 Configuring and Running Log2Timeline with Windows 8
The process for configuration and execution of Log2Timeline on Windows 7 and Windows 8 is identical.
6 Timeline Creation and Analysis with Log2Timeline in TAPEWORM
6.1 Configuring TAPEWORM for Log2Timeline
TAPEWORM is an open sourced workflow automation system bundled inside a Debian based virtual machine and can be downloaded at: http://tapeworm.s3.amazonaws.com/TAPEWORM_1.1.2013_Jan_17.vmware7vm.zip.
Once the zip file for TAPEWORM is downloaded and unzipped, it can be opened in VMWare Workstation 7, 8, 9,;VMWare Fusion; or VMWare Player, 3, 4, or 5. Additionally, it can be converted for use with VirtualBox ( using the latest version of any software is recommended). Once it has been opened in the virtualization product, VMWare (shown in Figure 1) can be configured for the host machine.
Figure 38 – TAPEWORM VM in VMWare Workstation 9.0.2
Opening the “Edit virtual machine settings” window allows the user to change the number of processors, amount of RAM, and shared folders to be configured for use. The recommended specifications are preset into the virtual machine. Figure 2 shows the shared folder configuration.
Figure 39 – Shared Folder Configuration
6.2 Running Log2Timeline in TAPEWORM
Once the virtual machine is running, the desktop will show the main tapeworm window (See Figure 3). From this interface, the automated graphic user interface (GUI) can be used, and the preprocessing and timeline creation for any exhibit can begin. It should be noted that if the main window is minimized, other tools may be accessed either from the terminal or separate GUI applications from the desktop.
Figure 40 – TAPEWORM Interface
As seen in Figure 4, the TAPEWORM interface has case options that need to be filled out in regards to the specific case being processed. After filling out case details, select the evidence type. For creating a timeline, the disk image option is most often used due to the E01, DD, or AFF files used to acquire exhibits. Additionally, Log2Timeline can be run against a folder or logical image (but not a single file) using TAPEWORM’s interface.
Once the evidence type is selected, select your evidence and output location. After choosing the input and output locations and selecting Log2Timeline, hit run. TAPEWORM will automate the process. It allows multiple tools to run in
succession as well, so if the evidence requires other processing, you can select the appropriate tools and options to run alongside the timeline at this point.
Figure 41 – TAPEWORM Case Information
TAPEWORM utilizes a number of the same steps taken when creating a timeline in SIFT 2.14. TAPEWORM begins by mounting the image, determining the partition types, creating necessary mount points, and doing the math for offsets,
as well as starting and ending sectors.
Figure 42 – TAPEWORM Mount Log
For the test image used in this tutorial (FIRE 04192013.E01), TAPEWORM was able to create a timeline in 25 hours and 17 minutes. It is important to note that this exhibit had 3 operating systems installed: Windows 7, Mac OSX, and BackTrack Linux. Each of these Operating Systems runs on a separate time zone, each with unique user data. If the 25 hour and 17 minute run may seem extremely long, note that TAPEWORM ran Log2Timeline against every partition in the correct time zone, as well as in every format type in one instance without the use of a single command.
Once the timeline is completed, a new folder can be found in the output directory containing an organized (by tool) output. Inside the log2timeline directory are the file types and logs for running log2timeline, with the partition offset in the file names. TAPEWORM exports the timelines in CSV, bodyfile, mactime, or TLN formats. The CSV format is fairly common and can be opened with Microsoft Excel or any other spreadsheet program. The bodyfile and mactime format can be used with the Sleuth Kit and other open source forensic tools for timeline analysis. The TLN format is a custom format that can function with Harlan Carvey’s tools.
6.3 Reading the output from TAPEWORM
For this guide, the CSV files will be used to look at the output. In TAPEWORM, the CSV documents are split when they are too large for excel to open, preventing any error for maximum file size. Also in the output folder are two different CSV files, one with modules and one without. TAPEWORM adds an additional column to the Log2timeline CSV output, to include the module used to process the particular artifact. For example, if the artifact listed in the CSV file originated from an index.dat file, the index.dat will be listed in the module column. This seems to be a lot of extra information, but when performing an investigation and attempting to look into specific information such as a timeline of Firefox history, sorting by module becomes extremely helpful. The CSV files will also contain the data within any specified date range, while the other file types do not allow for that sort of filtering. The CSV will be the most accurate source of information.
Opening the CSV files in Microsoft Excel shows the data neatly organized by column: sorted by date and time from oldest to newest (See Figure 6). Using Excel’s data sort feature, the first row can be used to sort and filter content throughout the document.
Figure 43 – CSV Timeline Output
To enable the sorting feature, select the “data” tab in excel (See Figure 7).
Figure 44 – Data Filtering with Excel
Then select filter (See Figure 8).
Figure 45 – Applying a Data Filter in Excel