Hi guys,
as many of you probably use log2timeline for Supertimeline creation tool, i thought mabye you guys could share a bit of insight regarding a more advanced usage of log2timeline including more targeted executions.
how do you guys (if at all) use l2t with your yara rules.
I currently use log2timeline in it's most basic usage and i'd like to learn if there are more advanced and targeted ways ways to create the timeline in addition to reducing time consumption.
I don't use plaso or l2t…I prefer a more surgical approach than the way most use this excellent tool. I have used the verified results of Yara rules as pivot points into and out of timelines, adding context and clarity to the analysis.
I think it's a very good tool. Saves hours of time. I would usually not run "the kitchen sink" and rather use plaso's filters to target logs in specific files only. https://
For example a good plaso filter is
/(Users|Documents And Settings)/.+/NTUSER.DAT
/(Users|Documents And Settings)/.+/AppData/Local/Microsoft/Windows/UsrClass.dat
/Windows/System32/config/.+
/Windows/System32/config/RegBack/.+
/Windows/AppCompat/Programs/Amcache.hve