Log2timeline on Windows

That is correct, it be great if someone wanted to take on modifying Kovar's AnayzMFT.py script or some other parser to output in the correct format as a pet project. Personally, I have not had a need to do so -)

I can easily output TLN with my Perl script.

It's also helpful that I wrote code to perform path reassembly, as well.

Unfortunately, I have not found any free tool such as FTK Imager or ImDisk that work.

Imdisk has TWO "modes".
One is "plain" IMDISK, the other one is "through" devio.
Have you explored the possibilities of the latter "mode"?

http//reboot.pro/topic/8466-devio-questions/
http//grandstreamdreams.blogspot.it/2009/08/devio-remote-drive-access-and.html

I presume that it is possible to use devio as a "local" proxy for IMDISK. ? idea

jaclaz

I can easily output TLN with my Perl script.

You have so many scripts its hard to keep track of them all wink Is this a private or public script?

An output to the CSV format I mentioned (http//code.google.com/p/log2timeline/wiki/l2t_csv) would be great. Better yet, a separate script that converts, TLN output to l2t CSV format would be more useful. Then TLN output from your other scripts could be reviewed easily in my timeline review tool. Perhaps better conversation to have offline, feel free to email me.

I presume that it is possible to use devio as a "local" proxy for IMDISK. ? idea jaclaz

Interesting, I was not aware of devio. Thanks for sharing, really cool capability. After reading the links you shared and some others I am not confident I know how it would work off the top of my head with a disk image. Perhaps someone looking for an alternative to Encase or MIP for disk mounting could try and update us.

oh, by the way, if you don't already know there is a new python version of log2timeline out called "plaso" also by Kristinn. This is distributed in source, binary (i.e. EXE), and also in my tool called "4n6time" which a GUI interface for creation and review of timelines. Theres not as many parsers available for this version yet and still in sorta beta. Here' some more info - https://sites.google.com/a/kiddaland.net/plaso/

i thought it was still in alpha/beta stage? but ill check it out

also re the mft parsing, i havent tried it on windows, but is it possible to just export the $MFT say from encase/ftk/prodiscover and then parse it that way?

i thought it was still in alpha/beta stage? but ill check it out

Correct, that's what I said. Please check it out, feedback, testing, contributions is what will get it to the next stage. I am sure Kristinn would appreciate.

also re the mft parsing, i havent tried it on windows, but is it possible to just export the $MFT say from encase/ftk/prodiscover and then parse it that way?

Of course, but that would require a mouse -)

also re the mft parsing, i havent tried it on windows, but is it possible to just export the $MFT say from encase/ftk/prodiscover and then parse it that way?

Without a doubt…I do it all the time…

Of course, but that would require a mouse -)

nothing wrong with meeces
make it easier to navigate the two screens and snap the windows into different segments

You have so many scripts its hard to keep track of them all

Yeah, Rob Lee said the same thing, so I sort of backed off of releasing them. After everyone thought that the Jump List parser I released was part of RegRipper, it really showed me how much people pay attention to what they're downloading. Oddly enough, no one has complained that DFwOST has "too many" tools in it, but you're not the first person to say that I have too many tools or scripts. Weird.

Is this a private or public script?

Well, it's written in Perl, so you probably won't want it.