Log2timeline on Win...
 
Notifications
Clear all

Log2timeline on Windows

42 Posts
8 Users
0 Likes
4,481 Views
(@randomaccess)
Posts: 385
Reputable Member
Topic starter
 

This may not be the right place to ask this, because it's technically a perl question, but if anyone can help it would be greatly appreciated

I'm trying to put together a batch file to install log2timeline on windows.
I've got perl installed, got the latest version of log2timeline and Chris Pogues instructions on how to do it (http//log2timeline.net/INSTALL.txt).

What I'm getting stuck on is is how do I get the perl libraries to install without having to run the ppm install X command from an online repository.
I've tried to change the location of the repository to be a local folder, but that hasn't seemed to work.

I'm sure its an easy fix, but my perl knowledge is quite limited.

 
Posted : 12/12/2012 2:50 am
(@bithead)
Posts: 1206
Noble Member
 

I would say copy the libraries from your install. No need to download them from an online repository.

 
Posted : 12/12/2012 8:11 am
(@randomaccess)
Posts: 385
Reputable Member
Topic starter
 

so its probably my lack of understanding, but does perl just take the PM files from the lib directory and thats that?
Or is there more to it?

I'll have to play around wiht it and figure it out

 
Posted : 12/12/2012 10:55 am
(@bithead)
Posts: 1206
Noble Member
 

so its probably my lack of understanding, but does perl just take the PM files from the lib directory and thats that?

Pretty much. If you look at the install instructions for manually copying Mac-PropertyList and XML-Entities, that is all the Package Manager is really doing with the dependencies.

So as long as your files are up to date in your installer, there is no reason to call the Package Manager just to copy some files.

 
Posted : 12/12/2012 11:26 am
(@randomaccess)
Posts: 385
Reputable Member
Topic starter
 

so i may have found a way to get it to work (but have to do it for log2timeline)

basically install the dependencies on using ppm install on an internet connected pc
once that's all installed and working then you can copy the site and lib folder to the forensic workstation and that should work

im sure that one could copy the files into the right places, but this way it installs the dependencies etc for you

next step is looking into perl2exe for log2timeline so that i dont have to keep reinstalling it every time i reghost my pc

 
Posted : 03/01/2013 5:39 pm
(@davnads)
Posts: 41
Eminent Member
 

so i may have found a way to get it to work (but have to do it for log2timeline)

Good luck. Please let me know if you get it to work 😉

Btw, are you able to get MFT data running it on Windows? I could never get Windows to see the $MFT and other system files hence log2timeline would not see and parse them out. After some trial and error, I discovered it did work (Windows would see these files) if you mounted your disk image as an emulated network share. Encase is one tool that has this capability.

 
Posted : 03/01/2013 9:40 pm
(@davnads)
Posts: 41
Eminent Member
 

oh, by the way, if you don't already know there is a new python version of log2timeline out called "plaso" also by Kristinn. This is distributed in source, binary (i.e. EXE), and also in my tool called "4n6time" which a GUI interface for creation and review of timelines. Theres not as many parsers available for this version yet and still in sorta beta. Here' some more info - https://sites.google.com/a/kiddaland.net/plaso/

 
Posted : 03/01/2013 9:43 pm
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

…if you mounted your disk image as an emulated network share. Encase is one tool that has this capability.

Are there others?

 
Posted : 03/01/2013 9:50 pm
(@davnads)
Posts: 41
Eminent Member
 

Yes, I recall Mount Image Pro had the same functionality (based on my evaluation of the demo version). Unfortunately, I have not found any free tool such as FTK Imager or ImDisk that work. Also when I last looked, could not find any MFT Parsers that output to the correct log2timeline CSV format (http//code.google.com/p/log2timeline/wiki/l2t_csv) if one wanted to add this data into their timeline separately. Perhaps there is something now.

 
Posted : 03/01/2013 9:58 pm
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

Also when I last looked, could not find any MFT Parsers that output to the correct log2timeline CSV format …

Given the parsers available, this is fairly trivial to achieve. In fact, *any* output format can be achieved simply by modifying the code.

 
Posted : 03/01/2013 10:31 pm
Page 1 / 5
Share: