February 10th, 2010 by ahoogKristinn Gudjonsson has written an excellent timeline utility for forensics investigators call log2timeline. The power of his tool is that it will add a wide range of event inline to an existing body file so that when you are doing timeline analysis (a key component to any forensic investigation) you can see file system, event log, browser history, setupapi, etc. all in the same file.
I had issues with the utility after I ran CPAN to update some perl modules. I decided to strat from scratch on a clean Ubuntu 9.10 workstation and wanted to document the steps I took. Kristinn included installation directions in docs/INSTALL but I had to make minor tweaks for Ubuntu 9.10. Here’s what I did:
Install prerequisites
sudo apt-get install libnet-pcap-perl libarchive-any-perl libxml-libxml-perl \ libdbi-perl libhtml-scrubber-perl libimage-exiftool-perl libgtk2-perl \ libglib-perl libcarp-assert-perl libdbd-sqlite3-perl perl-modules \ libdatetime-perl libdate-manip-perl
Install Perl modules not available as Ubuntu packages using CPAN
perl -MCPAN -e shell install Parse::Win32Registry install Data::Hexify install NetPacket::Ethernet install Digest::CRC
Download, compile and install log2timeline
mkdir ~/src cd ~/src wget http://log2timeline.net/files/log2timeline_0.41.tgz tar xzvf log2timeline_0.41.tgz cd log2timeline perl Makefile.PL make make install (as root user)
Running the utility
After this was complete, I could run log2timeline or timescanner (which after Kristinn pointed it out to me, I was able to remove much of the complexity from the scripts I wrote trying to locate and identify valid files for processing). Hope this helps…kudos to Kristinn for a great tool and all his hard work.
For Ubuntu 8.04, add the following to the above prerequisites
libmime-types-perl libfile-mmagic-perl libtest-warn-perl libmodule-find-perl libarchive-zip-perl
and add the following to the Perl modules
install Archive::Any