log2timeline - A framework for timeline creation and analysis

License: GPLv2
A framework to for timeline creation and analysis.

Log2timeline provides a framework to automatically extract timeline
information out of various log files and artifacts found on various
operating systems.  The framework then outputs the timeline information
in the chosen output format that can then be viewed using already
existing timeline analysis tools, or other tools to inspect the timeline.


log2timeline-0.61-1.fc12.src [1.3 MiB] Changelog by Lawrence Rogers (2011-09-26):
* Release 0.61-1
	Version 0.61
        - [log2timeline] Small changes to the version printing (now prints just the last portion of the path)
                - Now the engine checks if the format field is set and omits it if its set (to facilitate input modules like CSV that define it)
                - Changed the list modules, added the SAM database readout in the winxp and win7 list files.
                - Created the winsrv list file
                - Added the MFT module to all windows list files (just in case they use a driver that displays the $MFT file)
                - Fixed an issue with the tool not accepting the described format of the offset variable (should be +- int with the appended hms (optional))
                - Added a try/catch around get_time,
        - [L2T_CSV input] Added an input module that reads the CSV format of log2timeline (done to make it easier to convert CSV files into another format)
        - [extra/bash_completion] Added a bash_completion script, stored inside the extra/bash_completion.d directory (need to copy it manually in the first go)
                - Can make it easier to complete the paramaters to the tool in *NIX
        - [l2t_process] Fixed some timezone settings, or more created some temporary solutions to bug
        - [SQLITE output] Changed the schema considerably, along other smaller changes to the SQLite output
        - [TIME library] Fixed a bug in ftk2date ( - timestamps without ms values are not properly parsed
        - [PREFETCH input] Slightly modified the debug information in the verification step
        - [MCAFEE input] Slight changes in output from the verification routine.
                - Added newline skipping in verification subroutine (code donated anonymously)
        - [ALTIRIS input] New input module to parse the AeXAMInventory and AeXProcessList files from Altiris (donated anonymously)
        - [MCAFEEFIREHUP input] New input module to parse the McAfee FireEpo, FireSvc, FireTray, UpdateLog files (donated anonymously)
        - [MCAFEEHEEL input] New input module to parse the McAfee HIPS event.log (donated anonymously)
        - [SYMANTEC input] New input module to parse Symantec log files (donated anonymously)
        - [MCAFEEHS input] New input module to parse the McAfee HIPShield Log File (donated anonymously)
        - [ANALOG_CACHE input] New input module to parse the cache log produced by Analog (log parser), user contributed, written by Willi Ballenthin.
        - [FTK_DIRLISTING input] Bug fixed in the ftk_dirlist module, the actual file name was repeated in the output...
        - [SAFARI input] John Ritchie mad a small bug fix to the module, changing how the timestamp object got defined
        - [IE_HISTORY input] Fixed a bug in the module. time1 and time2 somehow got mixed up, reversed the order so that time1 is properly defined as the modification time,
        instead of being marked as the access time (and vice versa) - thanks to Jamison Bosco for notifying me
                - Small fix, updated the module so that if both time1 and time2 are the same, to join them in a single time
log2timeline-0.51-1.fc12.src [292 KiB] Changelog by Lawrence Rogers (2010-12-16):
- Version 0.51 - many changes - see

Listing created by Repoview-0.6.5-1.el5