SANS Digital Forensics and Incident Response Blog

Alternative Artifact Timeline Generation Tool (Link Files, Prefetch, Userassist, Recycle Bin, and more)

Wanted to give a quick shout out to Kristinn Guđjónsson, one of the SANS blog authors, who released a Alternative Timeline Generation tool, log2timeline, that will enable the addition of time artifacts to a body file in addition to Registry last write times and file system MACB times.

Current version of the tool parses the following artifacts:

  • Prefetch directory (reads the content of the directory and parses files found inside)
  • UserAssist key info (reads the NTUSER.DAT user registry file to parse the content of UserAssist keys)
  • Squid access logs (with emulate_httpd_log off)
  • Restore points (reads the content of the directory and parses rp.log file inside each restore point)
  • Windows shortcut files (LNK)
  • Windows Recycle Bin (INFO2)

To learn how to create a basic timeline with registry and file system artifacts look here:

Wonderful tool Kristinn! Keep it up!