I am trying to make a supertimeline. I run timescanner with 'sudo timescanner -m C/ -o mactime -d /media/C > l2t.fls' but when it finishes scanning, it says "[timescanner] Recursive scan completed. Successfully extracted timestamps from 0 artifacts (either files or directories). "
This is an error, as I know there are parsable artifacts on the drive. When I do the -v option, it scrolls all the files, saying "Now Inspecting File "
Using Log2Timeline directly gives the error "Unable to run the tool. Error message given Can't locate object method "now" via package "DateTime" at /usr/share/perl5/Log2Timeline.pm line 292." when I run it as "sudo log2timeline -m C -o mactime -r /media/C > l2t.fls"
Any advice would be great.
Version .61 ?
You will need to use the -f option. e.g. "-f winxp" or "-f win7"
I had the same problem myself when I upgraded from ".60" .
With the previous versions .60 and earlier it didn't matter as it would autodetect the files and parse them all. Strangely now the -f option is required for it to work now even though the manual page shows it as a optional option.
So if you use (e.g. for win 7)
'sudo timescanner -f win7 -m C/ -o mactime -d /media/C > l2t.fls'
it should work.
Hi
First of all, the error that you are describing (the locate method "now") was a slight bug in the tool, had to do with the method that tried to determine the local timezone settings of your macine. So if you would have defined the timezone using -z you should not have seen that error.
The timescanner command however did not use the -f option that defines which input modules the tool should use. The default behavior of the tool however uses "all" input modules. However, again due to a small bug, caused the tool to not actually load any modules up when the -f option was omitted. This could again have been solved using -f winxp or some other input list.
Both of these bugs have been fixed in the new release of the tool, version 0.62. Please upgrade the tool and try it again.