log2timeline - A framework for timeline creation and analysis

License: GPLv2
A framework to for timeline creation and analysis.

Log2timeline provides a framework to automatically extract timeline
information out of various log files and artifacts found on various
operating systems.  The framework then outputs the timeline information
in the chosen output format that can then be viewed using already
existing timeline analysis tools, or other tools to inspect the timeline.


log2timeline-0.65-1.el6.i686 [653 KiB] Changelog by Lawrence Rogers (2012-09-12):
* Release 0.65-1
  - [UTMP input] New input module parsing utmp/wtmp files in Linux, written by Francesco Picasso.
  - [SELINUX input] New input module parsing SELinux audit files in Linux, written by Francesco Picasso.
  - [l2t_process] Renamed to l2t_process_old, being replaced by from l2t-tools.
  - [EVTX Library] Fixed a small bug in the code, causing some EVTX file parsing to fail.
  - [Altiris input] Fixed a small bug when the date is malformed.
  - [Log2Timeline library] Fixed few bugs:
      - Small error in the format sort, caused oxml to sometimes be skipped in processing.
  - [GENERIC_LINUX input] Added a small extra eval sentence.
  - [LS_QUARANTINE] Fixed a minor bug in the get_time routine, if a database occurs it is caught by an eval sentence.
  - [TEST] Added few more tests.
  - [MOST INPUT MODULES] Changed the line:
          my $line = <$fh> or return undef;
      in most input modules.
  - [WIN library] Added few more transformations of Windows stored time zones into a "olson" ones understood by DateTime.
  - [CHROME input] Fixed a small unicode bug in the "File Downloaded" section.
  - [faersluskra2timalina] Added a new frontend to the tool, exact copy of log2timeline, except all parameters in Icelandic... kinda
  - [timescanner tool] Removed this frontend from the Makefile since it serves no purpose (as in no longer part of the automatic installation).
log2timeline-0.63-1.el6.i386 [569 KiB] Changelog by Lawrence Rogers (2012-04-09):
* Release 0.63-1
	Version 0.63 (09/04/2012)
	- ALL modules/files were run through perltidy using the configuration file of dev/perltidy.conf.
	- Also several modules have had their documentation updated and code reformed to reflect recent release of a style guide
	  for the project. perltidy is not enough to enforce that, but at least a start. Rewriting the documentation (pod) is also a vital
	  portion of making the modules easier to use/understand/develop.
	- All libraries within the tool and the main API have been rewritten with this in mind, making 'man' documentation considerably
	  more useful than it was.
	- [SERIALIZE output] JSON::XS used to serialize the timestamp output, a very simple output module that simply stores
		- This makes it possible to output using this method and then sorting is simpler since it does not require the module
		  to read in the csv and change it into something like a hash, since it is already stored as such.
		- This might become the default output of the tool, and then run l2t_process on that output, turning that into CSV
		  instead of using CSV as default and trying to filter that output.
		- This also makes it easier to filter, based on certain attributes, instead of at the line level.
		  the timestamp object without really doing anything to it. Use that for easy sorting in later stages.
	- [WIN7 list] Fixed a small bug in Win7 list file (and win7_noreg). The evt module was loaded up and not the evtx one.
	- [FIREFOX3 input] Added a check to see if the SQlite database contains a -wal or -shm (in addition to -journal)
	  And if it does, then do the same procedure as if it was a -journal (read-only database that gets copied to a temp location)
	  This was pointed to me by Svante
	- [PREFETCH input] Changed the default output so that loaded DLLs are not included by default, unless the -d|--detail
	  option/parameter is used.
	- [MFT input] Inside the verification routine a check is made to see if the magic value is FILE0, it should only be FILE.
	  Fixed that, making the mft module capable of parsing those $MFT files that do not the standard offset to the fixup array.
	- [SAM input] Changed the handling of SAM database data, it did not properly parse the SAM database file in certain cases
	  due to the keys being prefilled with the CMI-CREATE....
	- [NTUSER input] Changed a value check in UserAssist key parsing causing UserAssist keys not properly being parsed.
	- [WIN_LINK input] The values for mtime and atime got swapped (the correct order is CAM not CMA like it was)
	- [SETUPAPI input] Added a 'detailed_time' check, to reduce the text inside the alert by default, unless detail option used.
	- [log2timeline] Updated the man page to reflect updates to the 'detailed_time' changes to setupapi input module.
	- [WIN library] Added a mapping to map up all Windows use of timezones to the one used in the DateTime library.
	- [win_sysinfo PreProc] Updated the pre-processing library so that it checks if a known transform of a Windows named
	  timezone information is available and if it is it will compare it to the chosen timezone (and change it if they differ).
	- [LOG2TIMELINE] Small bug in the log2timeline library, causing input modules list that has more than one - sign in it
	  not properly verified.
	- [IEHISTORY input] Switched time1 and time2, and started to update the module so it adheres to the newly released, not
	  yet complete, style guide.
	- [EVTX input] Updated the EVTX library to the latest release, version 1.1.1 (written by Andreas Schuster)
		- Also changed the 50 attempts to 15 (in case of an error in reading an entry), also only output error
		  message if debug is turned on.

Listing created by Repoview-0.6.6-4.el7