Kristinn Gudjonsson has written an excellent timeline utility for forensics investigators call log2timeline. The power of his tool is that it will add a wide range of event inline to an existing body file so that when you are doing timeline analysis (a key component to any forensic investigation) you can see file system, event log, browser history, setupapi, etc. all in the same file.

I had issues with the utility after I ran CPAN to update some perl modules.  I decided to strat from scratch on a clean Ubuntu 9.10 workstation and wanted to document the steps I took.  Kristinn included installation directions in docs/INSTALL but I had to make minor tweaks for Ubuntu 9.10.  Here’s what I did:

Install prerequisites

sudo apt-get install libnet-pcap-perl libarchive-any-perl libxml-libxml-perl \
libdbi-perl libhtml-scrubber-perl libimage-exiftool-perl libgtk2-perl \
libglib-perl libcarp-assert-perl libdbd-sqlite3-perl perl-modules \
libdatetime-perl libdate-manip-perl

Install Perl modules not available as Ubuntu packages using CPAN

perl -MCPAN -e shell
install Parse::Win32Registry
install Data::Hexify
install NetPacket::Ethernet
install Digest::CRC

Download, compile and install log2timeline

mkdir ~/src
cd ~/src
wget http://log2timeline.net/files/log2timeline_0.41.tgz
tar xzvf log2timeline_0.41.tgz
cd log2timeline
perl Makefile.PL
make
make install (as root user)

Running the utility

After this was complete, I could run log2timeline or timescanner (which after Kristinn pointed it out to me, I was able to remove much of the complexity from the scripts I wrote trying to locate and identify valid files for processing).  Hope this helps…kudos to Kristinn for a great tool and all his hard work.