The Senator Patrick Leahy Center for Digital Investigation (LCDI)

Timeline Creation and Analysis Guides

Written by
Chapin Bryce
Researched by
Chapin Bryce

175 Lakeside Ave, Room 300A

Phone: 802/865-5744
Fax: 802/865-6446
http://www.lcdi.champlin.edu

Timeline Creation and Analysis Guides 6/17/2013 Page 1 of 40

 The Senator Patrick Leahy Center for Digital Investigation (LCDI)

Disclaimer:
This document contains information based on research that has been gathered by employee(s) of The
Senator Patrick Leahy Center for Digital Investigation (LCDI). The data contained in this project is
submitted voluntarily and is unaudited. Every effort has been made by LCDI to assure the accuracy and
reliability of the data contained in this report. However, LCDI nor any of our employees make no
representation, warranty or guarantee in connection with this report and hereby expressly disclaims any
liability or responsibility for loss or damage resulting from use of this data. Information in this report can
be downloaded and redistributed by any person or persons. Any redistribution must maintain the LCDI
logo and any references from this report must be properly annotated.
Contents
1 Introduction .......................................................................................................................................... 4
1.1 How to use this guide.................................................................................................................... 4
1.2 Overview of EnCase ...................................................................................................................... 4
1.3 Overview of Forensic Tool Kit ....................................................................................................... 4
1.4 Overview of Log2Timeline ............................................................................................................ 4
1.4.1 Log2Timeline Modules .......................................................................................................... 4
1.4.2 Log2Timeline Time zones ...................................................................................................... 5
1.4.3 Log2Timeline Output ............................................................................................................ 5
1.5 Other Log2Timeline Options ......................................................................................................... 6
1.6 Log2Timeline in SIFT ..................................................................................................................... 7
1.6.1 Preparing Sources for Log2Timeline in SIFT .......................................................................... 7
2 Timeline Creation and Analysis with EnCase 6.19 and 7.04 ................................................................. 8
2.1 Timeline Analysis with EnCase 6.19 .............................................................................................. 8
2.2 Timeline Analysis with EnCase 7.04 ............................................................................................ 11
2.3 Timeline Analysis with Geoff Black’s Timeline EnScript.............................................................. 12
3 Timeline Creation and Analysis with Forensic Tool Kit 4 .................................................................... 15
3.1 Timeline Analysis with Forensic Tool Kit 4 .................................................................................. 15
4 Timeline Creation and Analysis with Log2Timeline in SIFT 2.14 ......................................................... 22
4.1 Configuring SIFT for Log2Timeline .............................................................................................. 22
4.2 Preparing Exhibits for Log2Timeline in SIFT ................................................................................ 24
4.3 Running Log2Timeline-SIFT ......................................................................................................... 27
4.4 Running Log2Timeline for Linux and Macintosh Partitions ........................................................ 28
4.4.1 Running Log2Timeline on a Linux Exhibit ........................................................................... 28
4.4.2 Running Log2Timeline on a Macintosh Exhibit ................................................................... 28

Timeline Creation and Analysis Guides 6/17/2013 Page 2 of 40

 The Senator Patrick Leahy Center for Digital Investigation (LCDI)

5 Timeline Creation and Analysis with Log2Timeline in Windows 7 & 8 .............................................. 30

5.1 Log2Timeline with Windows 7 .................................................................................................... 30
5.1.1 Configuring Log2Timeline with Windows 7 ........................................................................ 30
5.1.2 Running Log2Timeline on Windows 7................................................................................... 2
5.2 Configuring and Running Log2Timeline with Windows 8 ............................................................. 2
6 Timeline Creation and Analysis with Log2Timeline in TAPEWORM ..................................................... 3
6.1 Configuring TAPEWORM for Log2Timeline ................................................................................... 3
6.2 Running Log2Timeline in TAPEWORM .......................................................................................... 4
6.3 Reading the output from TAPEWORM ......................................................................................... 6

Timeline Creation and Analysis Guides 6/17/2013 Page 3 of 40

 The Senator Patrick Leahy Center for Digital Investigation (LCDI)

1 Introduction

1.1 How to use this guide

This document has 5 guides that provide information about timeline creation and analysis for several
different tools and platforms. Navigate to the desired guide via the table of contents. Since the tools
each have a different set of strengths, sections 1.2 through 1.6 evaluate the different options and use
cases for timeline generation. For most situations involving heavy use of timeline analysis, Log2Timeline
is going to be the best fit for the situation, since the tools was designed for the specific task of timeline
generation.

1.2 Overview of EnCase

EnCase is a popular industry tool that is used for a lot of investigations. Timeline creation with EnCase is
useful if your case is already loaded into and processed by the tool. Especially when timelines are lightly
used within the case, the EnCase timeline feature is the best option.

1.3 Overview of Forensic Tool Kit

AccessData’s Forensic Tool Kit (FTK) provides another industry method for case analysis. Though FTK
does not has a timeline view, like EnCase, it can be more difficult to seamlessly integrate the timeline
data from FTK. Once again, FTK is best suited for use when timeline analysis is not the main focus, but a
secondary component in the investigation since it requires additional processing.

1.4 Overview of Log2Timeline

Log2Timeline is an open source command line tool created by Kristenn Gudjonsson.
Log2Timeline has become known for its ability to efficiently and accurately provide timeline
information for mounted logical devices, while operating at the partition level. Log2Timeline is
written in Perl, and it works by reading through a filesystem and outputting the metadata in a
report format (.csv by default). The outputted report provides the date, time, date/time type,
module used, and file location of the data on the partition. Log2Timeline is capable of scanning
through folders and directories individually or an entire mounted partition at once. Please note
that since these partitions must be mounted (as read-only for data integrity purposes), the host
machine determines which file systems Log2Timeline is capable of parsing through.
1.4.1 Log2Timeline Modules
Log2Timeline is a framework that comes with a series of modules for examiners to use to
extract specific information from a device. This includes clusters of modules for Linux,
Macintosh, Windows 7, Windows XP, and Windows Server. In addition the module clusters,
Log2Timeline also includes task specific modules, such as web history, and options for running
the tool against images without registry information. For a complete list of modules, see Figure
1. These modules can be run individually, or if a cluster is selected, it will run the modules
within the cluster. The modules ability of Log2Timeline makes it flexible for case work and
allows the user to select the scope that Log2Timeline runs.

Timeline Creation and Analysis Guides 6/17/2013 Page 4 of 40

 The Senator Patrick Leahy Center for Digital Investigation (LCDI)

1.4.2 Log2Timeline Time zones

In addition to the range of available modules that Log2Timeline can run, it supports 555
different time zone options covering a large number of cities as well as every continental time
zone. Log2Timeline has an extensive list of redundant time zones to ensure that daylight
savings time is included/excluded based on the region also. For a complete list of time zones,
run log2timeline –z list in the command prompt.
1.4.3 Log2Timeline Output
Log2Timeline supports multiple output formats for the data retrieved and parsed from the
target source. The default output is CSV (Comma Separated Values), which can be opened in
Microsoft Excel or any other worksheet application. CSV is a universal format and is simple for
many applications to interpret and display. In addition to the default CSV format is the Mactime
format. The Mactime format is closely focused on UNIX file systems, so it would not provide
some information for Windows file systems (such as inode information) because the two file
systems use different organizational structures. This format is used by Sleuth Kit (TSK), which
outputs Date, Time, Size of file, Record Type, UNIX Permissions, User ID, Group ID, inode (for
UNIX systems), and filename 1. Mactime is stored as a bodyfile format and is encoded in plain
text.

Another unique file output type is the TLN format. This output is a tab delimited format, though
it is also used by Harlan Carvey’s tools. The TLN is in the ASCII format and can be opened with
most worksheet applications such as Microsoft Excel; it can be converted to CSV format as well.

Another common file output type is SQLite, which will place the information in a database to
allow querying for timeline information versus reading an entire file. The SQLite format can be
useful as the output files may become extremely large, preventing them from being opened by
common applications such as Microsoft Excel or Notepad ++ (we have encountered output files
as large as 2 GB). These are only a few of the supported file formats; the rest can be found at:
http://log2timeline.net/#output.

1
Information from sluethkit.org regarding sample output of the mactime format.
http://wiki.sleuthkit.org/index.php?title=Mactime_output

Timeline Creation and Analysis Guides 6/17/2013 Page 5 of 40

 The Senator Patrick Leahy Center for Digital Investigation (LCDI)

Figure 1

1.4.4 Other Log2Timeline Options

Log2Timeline allows the standard output (STDOUT), the information displayed in the
command/terminal window, to be saved as a text file for later review. The –log
file/path/to/log.txt option allows you to export essential information regarding errors
encountered, the run modules, start and end time, timezone selected, and output module
selected to a log file. This information is worth saving, making the -log option a necessity in
running the command. Another useful option is the –r option, which tells Log2Timeline to run
recursively across the source directory. This is useful when running across an entire partition or
all of the subfolders within the source directory. When the recursive option is selected, the
preprocessing option, -p, should be run to allow Log2Timeline to parse information from the
source for use with some of the modules.

With the versatility to run across multiple platforms and the options to generate timelines for
sources with a variety of time zones and operating systems, the Log2Timeline framework is the
cornerstone of forensic timeline creation. What makes this framework so incredibly popular

Timeline Creation and Analysis Guides 6/17/2013 Page 6 of 40

 The Senator Patrick Leahy Center for Digital Investigation (LCDI)

and widely known is its integration with different forensic platforms such as SIFT and
TAPEWORM.

1.5 Log2Timeline in SIFT

SIFT is a preconfigured virtual machine appliance developed, managed, and released by SANS
Forensics. SANS Investigative Forensic Toolkit (SIFT) is a suite of preinstalled open source
forensic tools, allowing investigators to download a prebuilt virtual machine (VM) they can run
and use for analysis of a case. SIFT prevents investigators from facing tedious installation and
configuration of open source tools. This VM includes the Log2Timeline framework as well as a
custom version of Log2Timeline that can be run from the terminal within SIFT to further
simplify the timeline creation process.
1.5.1 Preparing Sources for Log2Timeline in SIFT
Forensic acquisitions use a variety of file types and extensions. The DD, also known as RAW, format
saves a bit for bit copy of the drive as a file. This format does not support compression or encryption.
This format can also be interpreted by the Linux mount command, used in SIFT, to mount acquired
exhibits as virtual read-only partitions.

Since DD images do not support compression or encryption, the E01 format is commonly used to
provide both compression and encryption

Timeline Creation and Analysis Guides 6/17/2013 Page 7 of 40

 The Senator Patrick Leahy Center for Digital Investigation (LCDI)

2 Timeline Creation and Analysis with EnCase 6.19 and 7.04

2.1 Timeline Analysis with EnCase 6.19

EnCase offers a built-in timeline feature capable of beginning a timeline analysis from the case file
already loaded into the software. This easy-to-use timeline feature can either be used as a method to
initially focus on a known date and time or to narrow results using a date and time window.

To begin timeline analysis with EnCase 6.19, a case must be created or opened and evidence must be
added to it (see Figure 1).

Figure 2 – Creating a Case in EnCase 6.19

Once evidence is added into EnCase, and the software is done parsing the MFT (Master File Table) and
other pre-processing requirements, the timeline feature can be used. By green plating an evidence file
(whether it is an entire case, partition, folder, or uncompressed compound file), all of the entries within
the evidence file will be displayed. Then, after selecting the “Timeline” view from the right pane, the
program will display a graphical representation of the drive in relation to the calendar displayed (See
Figure 2).

Timeline Creation and Analysis Guides 6/17/2013 Page 8 of 40

 The Senator Patrick Leahy Center for Digital Investigation (LCDI)

Figure 3 – Timeline Year View in Encase 6.19

To change the focus, a user can zoom in on the data in a specific range by double clicking on a cell. The
right click menu can be used to zoom in and out as well. The focus ranges from a year view (Figure 2) to
a minute view (Figure 3), and the focus can also be modified using the options menu and adjusting the
resolution (See Figure 4).

Timeline Creation and Analysis Guides 6/17/2013 Page 9 of 40

 The Senator Patrick Leahy Center for Digital Investigation (LCDI)

Figure 4 – Timeline Minute View in EnCase 6.19

Figure 5 – Adjusting the Timeline Resolution in Encase 6.19

EnCase 6.19 does not have a native timeline exporting tool comparable to Log2Timeline. EnCase is
intended for case analysis while Log2Timeline is designed as a preprocessing platform. EnCase excels at
case analysis, however, and has the ability to mount files in the case so that each one is revealed. This
allows each file to be individually identified and processed, a feature missing from Log2Timeline.

Timeline Creation and Analysis Guides 6/17/2013 Page 10 of 40

 The Senator Patrick Leahy Center for Digital Investigation (LCDI)

2.2 Timeline Analysis with EnCase 7.04

EnCase 7.04 is a newer version of Guidance Software’s forensic tool suite with an added graphic
interface upgrade, along with a number of other usability modifications. The Timeline feature was
improved through the major version update, and this new version offers more usability than EnCase
6.19.

As with EnCase 6.19, a case needs to be created and evidence must be added before the timeline
feature can be utilized. Once the evidence is added, it is good practice to run the file mounter option in
the case processor, to ensure that all files within compound files are expanded and accurately
represented by the EnCase timeline.

Similar to EnCase 6.19, a green plated evidence file can be viewed by the timeline tab within the
evidence pane. Within the Timeline tab, there are buttons to increase/decrease the timeline resolution,
making it more convenient to use the timeline feature within EnCase.

Figure 6 – Updated Resolution Buttons

Similarly to EnCase 6.19, EnCase 7.04 does not offer a timeline exporting tool similar to Log2Timeline,
though EnCase 7.04 is meant for case analysis not preprocessing as Log2Timeline is. However, it should
be noted that Encase 6.19 and 7.04 both support EnScripts, which can use the EnCase platform to create
an exported timeline similar to Log2Timeline.

Timeline Creation and Analysis Guides 6/17/2013 Page 11 of 40

 The Senator Patrick Leahy Center for Digital Investigation (LCDI)

2.3 Timeline Analysis with Geoff Black’s Timeline EnScript

EnCase 6.19 and 7.04 both contain timeline functionality, although it is only available for use within the
program and without an easy timeline exporting tool, such as with Log2Timeline. The EnScripting
feature of EnCase allows for EnScripts to be written for creating additional functionality. Geoff Black
created a Timeline EnScript that uses the evidence loaded into an opened case, using EnCase as the
source for creating timelines. His script may be downloaded at: GeoffBlack’s Timeline EnScript. This file
must be unzipped and placed within the EnCase installation directory in the EnScript folder.

To create a timeline using this EnScript, the target evidence must be loaded into a case in EnCase (see
Figure 1). Once loaded in, it is best practice to always run the file mounter EnScript, to ensure all of the
compound files can be accurately represented. For the EnScript, use the blue checking to select which
files should be included in the exported timeline. Once the files are selected, open the Timeline Report
EnScript within the EnScript pane of EnCase, and the option window will appear (see Figure 6). In this
window, a series of options can be selected for creating a timeline (see Figure 6).

Figure 7 – EnCase Timeline Report EnScript

Timeline Creation and Analysis Guides 6/17/2013 Page 12 of 40

 The Senator Patrick Leahy Center for Digital Investigation (LCDI)

Figure 8 – Run Notes from EnScript

The script ran quickly and took roughly nine seconds to process the entire partition [See Figure 7]. While
faster than Log2Timeline, the time to create the case and set it up should be accounted for as well. This
timeline created by EnScript will contain more data than its log2timeline counterpart, as it has expanded
compound files, but it also creates additional entries due to its structure. The exported TSV document of
the timeline is shown in Figure 8, and the HTML output is show in Figure 9.

Figure 9 – CSV EnScript Output

Timeline Creation and Analysis Guides 6/17/2013 Page 13 of 40

 The Senator Patrick Leahy Center for Digital Investigation (LCDI)

Figure 10 – HTML EnScript Output

The HTML outputs are split into multiple files and are sorted by Firefox (FF) and Internet Explorer (IE) file
types. Each file is split when it is around 11 MB in size. It appears that the TSV file does not split,
although it was only tested at 15MB.

Timeline Creation and Analysis Guides 6/17/2013 Page 14 of 40

 The Senator Patrick Leahy Center for Digital Investigation (LCDI)

3 Timeline Creation and Analysis with Forensic Tool Kit 4

3.1 Timeline Analysis with Forensic Tool Kit 4

AccessData’s Forensic Tool Kit (FTK) is a case analysis tool. To use FTK for timeline analysis, the
preprocessing options (displayed when adding evidence to the case) must be used. Unlike EnCase, FTK
does not have a built-in feature to display timeline information. To create a timeline report for viewing,
a case must first be created [See Figure 1].

Figure 11

Once the new case is opened, evidence must be added to the case [See Figure 2]. FTK is built to handle
multiple partitions and file system types, including HFS+, EXT4, NTFS, and FAT partitions, all found in the
FIRE image used for this guide.

Timeline Creation and Analysis Guides 6/17/2013 Page 15 of 40

 The Senator Patrick Leahy Center for Digital Investigation (LCDI)

Figure 12

Once evidence is added to the case, selecting the refinement options allows the desired processing
options to run. To create a timeline in FTK, remember to select the HTML and/or CSV file listing options
from the evidence processing window [See Figure 3]. These options tell FTK to create a list of files in
HTML/CSV format, including the path, file name, MAC timestamps, and MD5, among others. This is the
only feature allowing for timeline analysis of the drive, so be extra diligent in selecting them while
processing the case.

Timeline Creation and Analysis Guides 6/17/2013 Page 16 of 40

 The Senator Patrick Leahy Center for Digital Investigation (LCDI)

Figure 13

Timeline Creation and Analysis Guides 6/17/2013 Page 17 of 40

 The Senator Patrick Leahy Center for Digital Investigation (LCDI)

Figure 14

Running the preprocessing with this many options selected can be time consuming and can also cause
FTK to consume a large number of computer resources while it runs. Once the task is complete, navigate
to the job folder or select the job folder button on the data processing window [See Figure 4]. Within
the case directory are the HTML/CSV file listings generated by FTK [See Figure 5].

Figure 15

Timeline Creation and Analysis Guides 6/17/2013 Page 18 of 40

 The Senator Patrick Leahy Center for Digital Investigation (LCDI)

The CSV report can be opened with Microsoft Excel and formatted as desired [See Figure 6].

Figure 16

The HTML document can be opened with any web browser [See Figure 7].

Figure 17

It is important to note that both report types contain file names & attributes, such as MD5 and logical
sizes, along with created/modified/accessed dates for each entry found within the FTK 4.1 case for the
evidence.

Timeline Creation and Analysis Guides 6/17/2013 Page 19 of 40

 The Senator Patrick Leahy Center for Digital Investigation (LCDI)

Log2Timeline Guide for TAPEWORM

Written by: Chapin Bryce

Updated: July, 2013

The Senator Patrick Leahy Center for Digital Investigation

Champlain College

Timeline Creation and Analysis Guides 6/17/2013 Page 20 of 40

 The Senator Patrick Leahy Center for Digital Investigation (LCDI)

Table of Contents
Configuring TAPEWORM for Log2Timeline ................................................................................................. 22
Running Log2Timeline in TAPEWORM .......................................................................................................... 4
Reading the output from TAPEWORM ......................................................................................................... 6

Timeline Creation and Analysis Guides 6/17/2013 Page 21 of 40

 The Senator Patrick Leahy Center for Digital Investigation (LCDI)

4 Timeline Creation and Analysis with Log2Timeline in SIFT 2.14

4.1 Configuring SIFT for Log2Timeline

SIFT 2.14 can be downloaded after registering for an account. A custom download link will be made
available, and the .zip file containing the preconfigured virtual appliance can be downloaded at that
point. Once the download is completed and the files are extracted from the archive, the virtual machine
(VM) can be opened in VMWare, or another virtualization product. See Figure 1 for an example of SIFT
opened in VMWare Workstation 9.

Figure 18 – SIFT VM unzipped and ready for use

The minimum specifications are preconfigured into this VM( Figure 1), but can be altered if more
memory or processing is available. Figure 2 shows increased allocations for the SIFT VM.

Figure 19 – Configuring the Virtual Machine

Timeline Creation and Analysis Guides 6/17/2013 Page 22 of 40

 The Senator Patrick Leahy Center for Digital Investigation (LCDI)

Additionally, you can adjust the virtual machine settings to enable shared folders between the host and
guest machines. This allows for the virtual machine to read exhibits from the host machine and to export
the output to the host computer. How to enable this feature is shown in Figure 3.

Figure 20 – Enable Shared Folders

With shared folders enabled, the virtual machine can be powered on, and SIFT is ready for use on the
workstation. The login screen will appear, prompting for the password (forensics) before granting access
(see Figure 4).

Figure 21 – SIFT 2.14 login window

Timeline Creation and Analysis Guides 6/17/2013 Page 23 of 40

 The Senator Patrick Leahy Center for Digital Investigation (LCDI)

4.2 Preparing Exhibits for Log2Timeline in SIFT

Once a user is logged in, SIFT’s desktop appears and presents a terminal window. Since the shared
folders have been enabled before startup, the exhibits saved on the local machine are accessible via the
virtual machine, with the opposite being true as well. Exhibits can be acquired in a few different
formats, including E01 and DD (Raw). There are a number of different methods for readying these
acquisitions for use. Since the acquisition is a block file, it has to be mounted so the data inside of it can
be read as a block device 2. The E01 (EnCase evidence file) format is extremely popular, as it allows for
compression, encryption, and is compatible with most forensic tools. To convert the E01 for use in SIFT
the ewfmount command must be run. This command will convert the source E01 file (VMware-Shared-
Drive/Host-Drive/FIRE04192013/FIRE-041913.E01) to a mount point where it can be interpreted as an
uncompressed block file (mount_points/ewf) (Figure 5).

Figure 22 – Using ewfmount to prepare the E01 file for use with Log2Timeline

If the exhibit is Microsoft Windows only, skip to the next section to the section about log2timline-sift
which is Windows only. Drives with partitions other than NTFS (Microsoft Windows) need further
processing before use with Log2Timeline. To ensure that Macintosh or Linux partitions are completely
processed, they must be fully mounted. Once the ewfmount command is run, the individual partitions
must be mounted from the newly converted block file. SIFT also has the mmls utility bundle, allowing for
partition structures to be viewed.

Figure 23 – MMLS partition table listing

2
For more information and references on block files and loop devices: http://wiki.osdev.org/Loopback_Device

Timeline Creation and Analysis Guides 6/17/2013 Page 24 of 40

 The Senator Patrick Leahy Center for Digital Investigation (LCDI)

Another command that provides essential information when preparing the block file to be mounted is
the parted framework. This framework allows the partition information to be read from a block file.
Parted shows information regarding the specific file systems in place on the block file as well as byte
information, as opposed to sector information provided my mmls (Figure 7).

Figure 24 – Linux Parted command providing more partition information

To convert the sector offsets listed by mmls to the byte offset needed for the mount command, the
starting sector should be multiplied by the Bytes per sector (See Table 1 for an example conversion).

Starting Sector x Bytes/Sector = Offset in Bytes

Total Sectors x Bytes/Sector = Bytes per Slot
Bytes/sector = 512
‘Slot 01’ is HFS+ (Macintosh)
Start: 0000409640 End:003776503 Total Sectors:0037355864
0000409640 x 512 = 209735680 bytes 0037355864 x 512 = 19126202368
from beginning of physical drive bytes or ~17.812 GB
‘Slot 03’ is NTFS (Windows)
Start: 0065443840 End: 014270207 Total Sectors: 0048826368

Timeline Creation and Analysis Guides 6/17/2013 Page 25 of 40

 The Senator Patrick Leahy Center for Digital Investigation (LCDI)

0065443840 x 512 = 33507246080 bytes 0048826368 x 512 = 24999100416 or

from beginning of physical drive ~23.28 GB
‘Slot 05’ is EXT4 (Linux)
Start: 0038098944 End: 0064198655 Total Sectors: 0026099712
0038098944 x 512 = 19506659328 bytes 0026099712 x 512 = 13363052544 or
from beginning of physical drive ~12.45GB
Table 1 – Converting mmls sector offset to byte offset.

Now that the partitions within the block file have been identified, they can be individually mounted.
Using the Linux mount command, the Windows partition is mounted to a pre-made directory illustrated
in Figure 8.

Figure 25 – Mounting the Windows partition with the Linux mount command

This same mount process can be repeated for the offsets provided by the mmls conversions (Figure 9
shows Linux mounting only).

Figure 26 – Mounting Linux partition with the Linux Mount Command.

Once the partitions are mounted, SIFT is able to run Log2Timeline against the exhibit. Skip to the section
Running Log2Timeline to create a timeline from the new mount point.

Timeline Creation and Analysis Guides 6/17/2013 Page 26 of 40

 The Senator Patrick Leahy Center for Digital Investigation (LCDI)

4.3 Running Log2Timeline-SIFT

SIFT has created a custom version of Log2Timeline with the command log2timeline-sift, easing the
process of mounting the exhibit and running the command against a Windows only partition. This
automation selects the default options for log2timeline and begins processing. Figure 10 is a capture of
the command used to run log2timeline-sift against the exhibit. Note the command needs the timezone
(-z) and image mount point (-i) from the ewfmount step (if the image was in a DD/raw format, select
that file for use with log2timeline-sift).

Figure 27 – Using log2timeline-sift to create a timeline for the Windows partition.

When the command is complete, the output is placed in the “cases” directory on the SIFT desktop. From
here, the CSV file can be copied onto the host machine and opened with Microsoft Excel. Once the file is
opened in Excel, the columns must be delimited, as Excel does not automatically parse the information
into columns (See Figure 11). If it parses correctly, it will look similar to the worksheet shown in Figure
12.

Figure 28 – Delimiting CSV document in Excel

Figure 29 – Log2Timeline-SIFT output in Excel

Timeline Creation and Analysis Guides 6/17/2013 Page 27 of 40

 The Senator Patrick Leahy Center for Digital Investigation (LCDI)

4.4 Running Log2Timeline for Linux and Macintosh Partitions

The log2timeline-sift command automates actions for timeline creation with Windows partitions in SIFT.
To create a timeline with log2timeline against other partition types, such as Linux and Macintosh,
log2timeline has to be run manually. Please refer to the section on mounting for information on how to
mount and prepare evidence for use with log2timeline.

4.4.1 Running Log2Timeline on a Linux Exhibit

After the image has been mounted correctly and the partition has its own mount point, the time zone of
the Linux partition should be verified. To do this, run the command less (directory path to Linux mount
point)/etc/timezone as seen in Figure 13. The less command allows a file to be previewed in the
command window. To exit the less windows press q.

Figure 30 – Previewing the Time Zone Set for the Linux Partition

Once the command is run, the timezone stored in the /etc/timezone system file of the partition will be
displayed and log2timeline can be run. The command to run log2timeline is log2timeline –z [exhibit
time zone] –f [selected modules] –o [output format] –v –log [logfile output location] –r –p
[Evidence/exhibit mount point location] (Figure 14).

Figure 31 – Running Log2Timeline Manually Against Linux Partition

4.4.2 Running Log2Timeline on a Macintosh Exhibit

With Linux, most system information is stored in plain text, such as the timezone file referenced above.
For Macintosh OSX, the timezone, along with other system information, is stored in a .plist (property
list) file. Plist files are either XML or binary format, and they act similarly to the registry. The timezone
information is saved in binary format on the Macintosh OSX in the GlobalPreference.plist. Plist files
aremore difficult for most text editors to interpret, despite the key information being in plain text. To
read the information from the plist file, use the command less [path to mount
point]/Library/Preferences/.GlobalPreferences.plist (Figure 15).

Figure 32 – Previewing the Time Zone Set for the Macintosh Partition

Timeline Creation and Analysis Guides 6/17/2013 Page 28 of 40

 The Senator Patrick Leahy Center for Digital Investigation (LCDI)

The text highlighted in Figure 16 suggests the timezone is America/New_York, known as EST5EDT in
log2timeline.

Figure 33 – Previewing a Binary Plist File with Time Zone Information

After determining the time zone information from the Macintosh partition, follow the steps outlined for
creating a timeline for Linux (Figure 14).

Timeline Creation and Analysis Guides 6/17/2013 Page 29 of 40

 The Senator Patrick Leahy Center for Digital Investigation (LCDI)

5 Timeline Creation and Analysis with Log2Timeline in Windows 7 & 8

5.1 Log2Timeline with Windows 7

5.1.1 Configuring Log2Timeline with Windows 7
Windows 7 is a popular desktop environment, and most forensic tools are built to run natively on the
Windows platform, including Log2Timeline, which is cross platform. To install Log2Timeline on
Windows, the ActiveState Perl framework, Log2timeline framework, and two additional libraries (Library
1, Library 2) have to be downloaded and unzipped. Once all of these are downloaded and unzipped, and
ActiveState Perl is installed, launch the Perl Package Manager (PPM) to download the Perl dependencies
(See Figure 1). Each bullet point below is a different dependency that must be installed for Log2Timeline
to run properly. Install each package by searching for the package name, right clicking, and selecting
“Install.”

• datetime
• win32::api
• date::manip
• xml::libxml
• carp::assert
• digest::crc
• data::hexify
• image::exiftool
• file::mork
• datetime::format::strptime
• parse::win32registry
• html::scrubber

Timeline Creation and Analysis Guides 6/17/2013 Page 30 of 40

 Patrick Leahy Center for Digital Investigation (LCDI)

Figure 34 – PPM Package Manager

Copy the entire directory of XML-Entities/lib/XML folder into the Perl installation/lib/XML directory. After you have copied this,
create a folder within the Perl installation lib/ directory named Mac. Copy the files from the Mac-Properties lib directory into the
newly created Mac folder next. Then you can follow the steps outlined in Table 1.

1. Inside the log2timeline directory

a. Delete the file lib/Log2t/input/pcap.pm
b. Copy the content of the lib/Parse/* to c:/perl/lib/Parse/
c. Copy the content of the folder lib/Log2t to c:/perl/lib/Log2t/*
d. Copy lib/Log2Timeline.pm to c:/perl/lib/
e. Copy log2timeline to c:/perl/bin/log2timeline.pl
f. Copy l2t_process to c:/perl/bin/l2t_process.pl
g. Copy timescanner to c:/perl/bin/timescanner.pl
Table 2

After completing the installation, the acquired image must be mounted. To do this, use FTK Imager to open the E01 file
(in this example it is FIRE-041913.E01). Right click on the image and select “Image Mounting…” from the context menu.
Then select the “Physical & Logical” mount type and assign a drive letter using the “Block Device/Read Only” mount
method (See Figure 2). Clicking mount will now virtually mount each partition of the E01 as a drive, allowing
Log2Timeline to parse through the partitions.

Timeline Creation and Analysis Guides 6/17/2013 Page 1 of 40

 Patrick Leahy Center for Digital Investigation (LCDI)

Figure 35 – Mounting the Image for Log2Timeline Processing

5.1.2 Running Log2Timeline on Windows 7

When the previous process is completed, the log2timeline process can be run by opening the command prompt in the
C:\Perl\bin\ directory. Holding shift, then right click and select “open command window here” from the context menu.
At this point, type perl log2timeline –f win7 –z EST5EDT –o csv –log E:\path\to\log\file.txt –w:
E:\path\to\output\file.csv –r –p M:\ where drive M: is the target to scan. This will generate the log text file and the
output csv file in the directory selected (see Figure 3).

Figure 36 – Command used to create timeline

Figure 37 – Output files and locations

the test image contained 3 partitions, and the run above run was only for the Windows 7 partition. Windows 7 only
recognizes the NTFS, exFAT, and FAT file systems. Since FTK virtually mounts as a drive on Windows, Windows does not
mount the drives as usable. Windows 7 Is not able to interpret data on EXT or HFS+ file systems, preventing the
Macintosh and Linux partitions from being mounted.

5.2 Configuring and Running Log2Timeline with Windows 8

The process for configuration and execution of Log2Timeline on Windows 7 and Windows 8 is identical.

Timeline Creation and Analysis Guides 6/17/2013 Page 2 of 40

 Patrick Leahy Center for Digital Investigation (LCDI)

6 Timeline Creation and Analysis with Log2Timeline in TAPEWORM

6.1 Configuring TAPEWORM for Log2Timeline

TAPEWORM is an open sourced workflow automation system bundled inside a Debian based virtual machine and can be
downloaded at: http://tapeworm.s3.amazonaws.com/TAPEWORM_1.1.2013_Jan_17.vmware7vm.zip.

Once the zip file for TAPEWORM is downloaded and unzipped, it can be opened in VMWare Workstation 7, 8,
9,;VMWare Fusion; or VMWare Player, 3, 4, or 5. Additionally, it can be converted for use with VirtualBox ( using the
latest version of any software is recommended). Once it has been opened in the virtualization product, VMWare (shown
in Figure 1) can be configured for the host machine.

Figure 38 – TAPEWORM VM in VMWare Workstation 9.0.2

Opening the “Edit virtual machine settings” window allows the user to change the number of processors, amount of
RAM, and shared folders to be configured for use. The recommended specifications are preset into the virtual machine.
Figure 2 shows the shared folder configuration.

Timeline Creation and Analysis Guides 6/17/2013 Page 3 of 40

 Patrick Leahy Center for Digital Investigation (LCDI)

Figure 39 – Shared Folder Configuration

6.2 Running Log2Timeline in TAPEWORM

Once the virtual machine is running, the desktop will show the main tapeworm window (See Figure 3). From this
interface, the automated graphic user interface (GUI) can be used, and the preprocessing and timeline creation for any
exhibit can begin. It should be noted that if the main window is minimized, other tools may be accessed either from the
terminal or separate GUI applications from the desktop.

Figure 40 – TAPEWORM Interface

As seen in Figure 4, the TAPEWORM interface has case options that need to be filled out in regards to the specific case
being processed. After filling out case details, select the evidence type. For creating a timeline, the disk image option is
most often used due to the E01, DD, or AFF files used to acquire exhibits. Additionally, Log2Timeline can be run against a
folder or logical image (but not a single file) using TAPEWORM’s interface.

Once the evidence type is selected, select your evidence and output location. After choosing the input and output
locations and selecting Log2Timeline, hit run. TAPEWORM will automate the process. It allows multiple tools to run in
Timeline Creation and Analysis Guides 6/17/2013 Page 4 of 40
 Patrick Leahy Center for Digital Investigation (LCDI)

succession as well, so if the evidence requires other processing, you can select the appropriate tools and options to run
alongside the timeline at this point.

Figure 41 – TAPEWORM Case Information

TAPEWORM utilizes a number of the same steps taken when creating a timeline in SIFT 2.14. TAPEWORM begins by
mounting the image, determining the partition types, creating necessary mount points, and doing the math for offsets,
as well as starting and ending sectors.

Figure 42 – TAPEWORM Mount Log

Timeline Creation and Analysis Guides 6/17/2013 Page 5 of 40

 Patrick Leahy Center for Digital Investigation (LCDI)

For the test image used in this tutorial (FIRE 04192013.E01), TAPEWORM was able to create a timeline in 25 hours and
17 minutes. It is important to note that this exhibit had 3 operating systems installed: Windows 7, Mac OSX, and
BackTrack Linux. Each of these Operating Systems runs on a separate time zone, each with unique user data. If the 25
hour and 17 minute run may seem extremely long, note that TAPEWORM ran Log2Timeline against every partition in the
correct time zone, as well as in every format type in one instance without the use of a single command.

Once the timeline is completed, a new folder can be found in the output directory containing an organized (by tool)
output. Inside the log2timeline directory are the file types and logs for running log2timeline, with the partition offset in
the file names. TAPEWORM exports the timelines in CSV, bodyfile, mactime, or TLN formats. The CSV format is fairly
common and can be opened with Microsoft Excel or any other spreadsheet program. The bodyfile and mactime format
can be used with the Sleuth Kit and other open source forensic tools for timeline analysis. The TLN format is a custom
format that can function with Harlan Carvey’s tools.

6.3 Reading the output from TAPEWORM

For this guide, the CSV files will be used to look at the output. In TAPEWORM, the CSV documents are split when they
are too large for excel to open, preventing any error for maximum file size. Also in the output folder are two different
CSV files, one with modules and one without. TAPEWORM adds an additional column to the Log2timeline CSV output, to
include the module used to process the particular artifact. For example, if the artifact listed in the CSV file originated
from an index.dat file, the index.dat will be listed in the module column. This seems to be a lot of extra information, but
when performing an investigation and attempting to look into specific information such as a timeline of Firefox history,
sorting by module becomes extremely helpful. The CSV files will also contain the data within any specified date range,
while the other file types do not allow for that sort of filtering. The CSV will be the most accurate source of information.

Opening the CSV files in Microsoft Excel shows the data neatly organized by column: sorted by date and time from
oldest to newest (See Figure 6). Using Excel’s data sort feature, the first row can be used to sort and filter content
throughout the document.

Figure 43 – CSV Timeline Output

To enable the sorting feature, select the “data” tab in excel (See Figure 7).

Timeline Creation and Analysis Guides 6/17/2013 Page 6 of 40

 Patrick Leahy Center for Digital Investigation (LCDI)

Figure 44 – Data Filtering with Excel

Then select filter (See Figure 8).

Figure 45 – Applying a Data Filter in Excel

Timeline Creation and Analysis Guides 6/17/2013 Page 7 of 40

 Patrick Leahy Center for Digital Investigation (LCDI)

Log2Timeline Guide for SIFT

Written by: Chapin Bryce

Updated: July, 2013

The Senator Patrick Leahy Center for Digital Investigation

Champlain College

Timeline Creation and Analysis Guides 6/17/2013 Page 8 of 40

 Patrick Leahy Center for Digital Investigation (LCDI)

Table of Contents
Configuring SIFT for Log2Timeline .............................................................................................................. 22
Preparing Exhibits for Log2Timeline in SIFT ................................................................................................ 24
Running Log2Timeline-SIFT ......................................................................................................................... 27
Running Log2Timeline for Linux and Macintosh Partitions ........................................................................ 28
Running Log2Timeline on a Linux Exhibit ............................................................................................... 28
Running Log2Timeline on a Macintosh Exhibit ....................................................................................... 28

Timeline Creation and Analysis Guides 6/17/2013 Page 9 of 40

 Patrick Leahy Center for Digital Investigation (LCDI)

Timeline Creation and Analysis Guides 6/17/2013 Page 10 of 40