E-Discovery, File Systems

Generating computer forensic supertimelines under Linux: A comprehensive guide for Windows-based disk images

When the authors first published this paper, their intentions were to develop a comprehensive guide to digital forensic timelines in order to consolidate the many fragmented sources of information concerning this topic.  What they discovered, however, was that quality references were often challenging to find among various books, papers, periodicals, filesystem specifications and source code.

While conducting their research, they found that practical tool-based solutions existed for generating digital forensic timelines, though they each had specific limitations.  Thus, efforts were undertaken by the authors to provide an alternative timeline generation framework.  Although some in the community had already proposed the use and generation of supertimelines, all too often important data sources were being left out.  In order to rectify this, it became necessary to couple additional tools in order to provide maximum evidentiary extraction.

Even though the leading date/time extraction software, The Sleuth Kit (TSK) and Log2timeline (and timescanner) are excellent tools in their own right, they require each other in order to create supertimelines.  Whereas Log2timeline’s timescanner provides automated disk image processing capabilities, it nonetheless has certain difficulties handling specific supported file formats.  As such, the authors’ proposed framework combines the best features of TSK, Log2timeline (while avoiding timescanner), additional date/time extraction software and shell scripting to deliver an improved supertimeline generation framework.  The proposed framework is largely automated once the correct parameters have been provided to the script.  Though it does not support all the same datasets as Log2timeline, this prototype can be readily augmented to provide the same dataset functionality as Log2timeline.  The proposed prototype, although specifically written for handling Windows-based disk images, could be readily modified to support various other filesystem formats.

The forensic investigator, equipped with the various in-depth sources of information provided by the authors’ paper, coupled with the prototype supertimeline generation script, should provide sufficient timeline generation capability for most Windows-based disk investigations.

Click here for the report: Generating computer forensic supertimelines under Linux – A comprehensive guide for Windows-based disk images.pdf

All Shell (Bash) and C source code are persuant to the following Disclaimer and Licensing Agreement.  Use of this prototype code assumes that the user/reader agrees to the conditions set forth and is bound by them,  If the user/reader does not agree, do not use the code.

Click here for the Bash script timeline.sh.

Click here C code file_name_type_line_parser.c.

Click here for C code find_signature_evtlog.c.

Click here for C code unixtime_to_systime.c.

Discussion

6 thoughts on “Generating computer forensic supertimelines under Linux: A comprehensive guide for Windows-based disk images

  1. Hi, very good paper.
    I coud not find where to download bash and c sources published in the pdf.
    Document line numbers and formatting makes it a pain to edit the pasted text.
    Piero

    Posted by Piero | August 23, 2012, 6:15 pm
  2. Hi Piero,

    Glad you like the paper. I will upload the C code and Bash script shortly. Come back in a while.

    Forensicsrichard.

    Posted by forensicsrichard | August 24, 2012, 12:38 am
  3. Hi very good article and tool, but…I saw that you hardcoded this “-z EST5EDT” into bash script…why did not you parameterize it?
    Not all the people live in Eastern Coast of USA :-D
    Thank you

    Posted by NanniB | August 25, 2012, 5:44 am
    • Hi Nannib,

      Glad you liked the article and I hope the script works out for you.

      I left the timezone hardcoded as EST5EDT since I needed it as my default timezone for some investigative work I had to do. I figured others could always make additional changes to the script. But I admit that by the time I got the whole thing written, working, tested, peer-reviewed … I really didn’t want to make any more changes to it (I got a bit lazy).

      Cheers.

      Posted by forensicsrichard | August 27, 2012, 11:54 pm

Trackbacks/Pingbacks

  1. Pingback: Digital Forensics, Inc. Generating computer forensic supertimelines under Linux: A comprehensive guide for Windows-based disk images | Digital Forensics, Inc. - August 25, 2012

  2. Pingback: [Aug 2012] Newsletter | FORENSIC INSIGHT - September 4, 2012

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.

Join 692 other followers

%d bloggers like this: