SANS Digital Forensics and Incident Response Blog: Daily Archives: Aug 02, 2009

Alternative Artifact Timeline Generation Tool (Link Files, Prefetch, Userassist, Recycle Bin, and more)

Wanted to give a quick shout out to Kristinn Gujnsson, one of the SANS blog authors, who released a Alternative Timeline Generation tool, log2timeline, that will enable the addition of time artifacts to a body file in addition to Registry last write times and file system MACB times.

http://blog.kiddaland.net/2009/08/log2timeline-artifact-timeline-analysis-part-i/

Current version of the tool parses the following artifacts:

  • Prefetch directory (reads the content of the directory and parses files found

...