SANS Digital Forensics and Incident Response Blog

Alternative Artifact Timeline Generation Tool (Link Files, Prefetch, Userassist, Recycle Bin, and more)

Wanted to give a quick shout out to Kristinn Guđjónsson, one of the SANS blog authors, who released a Alternative Timeline Generation tool, log2timeline, that will enable the addition of time artifacts to a body file in addition to Registry last write times and file system MACB times.

http://blog.kiddaland.net/2009/08/log2timeline-artifact-timeline-analysis-part-i/

Current version of the tool parses the following artifacts:

  • Prefetch directory (reads the content of the directory and parses files found inside)
  • UserAssist key info (reads the NTUSER.DAT user registry file to parse the content of UserAssist keys)
  • Squid access logs (with emulate_httpd_log off)
  • Restore points (reads the content of the directory and parses rp.log file inside each restore point)
  • Windows shortcut files (LNK)
  • Windows Recycle Bin (INFO2)

To learn how to create a basic timeline with registry and file system artifacts look here: http://sansforensics.wordpress.com/2009/02/24/digital-forensic-sifting-registry-and-filesystem-timeline-creation/

Wonderful tool Kristinn! Keep it up!