I'm having a problem getting a complete timeline using SIFT v2.1. It appears that for some reason the results from timescanner are not being included in the final timeline. I'm following the steps Rob documented in his blog post regarding Super Timelines (http//
Has anyone else seen this problem, or am I just doing something stupid?
Thanks for the help!
SIFT 2.1 includes a new 'do-it-all' utility called log2timeline-sift. It's quite cool, though I am not too experienced in it. Just run that against an image, it mounts it and creates the timeline all in one shot. It puts it in the Cases folder, I believe.
By any chance, have you checked what the default output format for timescanner is? The Sift v2.0 comes with log2timeline version .6 and in the new version the default output was changed to csv instead of mactime. I don't use timescanner anymore so I'm not sure if the default output format was changed as well. If it was changed to csv then the mactime command won't work against it's output. (At the time when Rob's post came out the default file format was mactime)
There are also a few other changes in log2timeline and one important change is that log2timeline has replaced the functionality timescanner provided. The new -r switch will make log2timeline search recursively through directories on the system so you really don't need to use timescanner anymore. For more information you can check out the log2timeline man page http//
If you need information on how to create a timeline using version .6 here are a few links showing how.
http//
http//
hth
Corey Harrell
"Journey into Incident Response"
http//journeyintoir.blogspot.com
Thanks for the help guys!
there is also a quick "cheat sheet" for log2timeline in the latest SIFT version that you might want to check out. It provides some quick commands that might be helpful.
And make sure if you are using the debian package release to do an apt-get update && apt-get upgrade to make sure you´ve got the latest release. (as of now the latest release is 0.62)