SANS Digital Forensics and Incident Response Blog: Tag - perl

Log2timeline Plugin Creation

About a year ago, I needed to add an Apache log to a supertimeline I was working on. I wrote a bash script to do this, as I was not familiar with perl at the time. I later went back and learned some basics of perl and converted it to my first log2tlimeline plugin. Since … Continue reading Log2timeline Plugin Creation

Perl Fu: Email Discovery

Hal Pomeranz, Deer Run Associates

I hope Mike Worman doesn't hate on me for stealing his "Perl Fu" idea, but I recently have been dealing with a task that is perfect for Perl. One of my customers is having to do a laborious discovery process through a huge email archive that is in "Unix mailbox format"- meaning large text files with the email messages all concatentated togther. They need to find any one of a list of relevant keywords in messages stored in these hundreds of gigabytes of large text files and output the entire text of the matching email messages.

Unix mailbox format is a file format that I've dealt with a lot, and I've written many scripts to parse these kinds of files. So it probably took me less time to write the script to do this than it's going to take me to write this blog post. But I


Forensics and Perl-Fu: Reducing Data and Cleaning Up Log Files

By: Mike Worman

Perl's simplicity and its raw power may seem paradoxical but this is simply a clever ruse. There is a lot going on behind the scenes when using Perl, which has often been described as the scripting language that attempts to figure out exactly what the developer wants in as little code as possible''and it usually succeeds. Even when it doesn't, another possible approach is usually immediately apparent. Never forget the Perl motto: TIMTOWTDI!

Perl scripts for parsing PDFs, MACs, IPs, URLs, etc.

By Michael Cloppert

I hoped to be writing to you about how I found a great chi-square technique to identify trojaned PDF's (we've certainly seen our share - 8.1, 8.1.1, and now 8.3/9.0...). Sadly, it's not so. I couldn't even get as far as rejecting my null hypothesis since component bytes, as random variables, are - no surprise - not

Building a complete timeline for intrusion cases

Anyone who has worked intrusion cases can tell you that they are a wholly different animal than classic pornography or computer abuse/misuse cases, yet our tools have grown out of a distinct need for the latter. Particularly fractured are the tools that enable the analyst to build timelines. Sure, we can sort event logs, or use mactime to get a readable dump of our filesystem metadata, but assembling a complete picture remains a struggle. Some products offer a bit more along these lines, such as Encase, but the barrier for entry in assembling disparate logs into a comprehensive timeline is high both in terms of financial funding and product-specific knowledge, vis Enscripts.

To address this need, I built Ex-Tip. Roughly named after "Extensible Timelines in Perl," Ex-Tip is really nothing more than a framework of input and output modules to normalize log data and sort by time. While it is currently