timescanner - A recursive scanner to produce timeline data extracted from file artifacts
timscanner recursively scans through a directory (such as a mounted filesystem) and extracts timestamp data gathered from the files that the tool log2timeline supports. This tool is written as a separate tool from log2timeline but will be integrated in the tool soon.
timescanner [OPTIONS] -z TIMEZONE [-f INPUT MODULE] [-o OUTPUT MODULE] [-w BODYFILE] [-v] -d|-dir DIRECTORY
See man timescanner for full details of options to use.
This option is mandatory for the tool to operate. This option defines the starting directory which the tools recursively searches for supported artifacts.
Time skew of original machine. The format of the variable TIME is: X | Xs | Xm | Xh, where X is a integer and s represents seconds, m minutes and h hours (default behaviour is sec onds)
Prepend the output line with TEXT, for instance by using -m HOSTNAME to include a hostname in the output
Use the following output format. By default log2timeline uses the csv output. To see a list of all available output formats, use -o list
Specify a file to write output to (otherwise STDOUT will be chosen).
This option defines the timezone that was used on the computer that the log files belonged to. The default value for this variable is the local timezone of the computer timescanner is run on.
Specify a file to write error and information messages from the log2timeline to a file, otherwise STDERR will be used.
Define the host name that the information is extracted from.
If this option is used then a MD5 sum for each file that passes verification is calculated and included in the timestamp object
Make timescanner skip the default minimalist test to see if a file can be parsed by the supplied input module.
Display the version number
Add the verbose level of output, or debug level. This option can be provided twice to get an extra level of verbosity (two levels available)
Display this help message
The option of -f can be used to select which modules are used in timescanner when recursively searching through the directory supplied to the tool. The option MODULE can be any of the four listed here:
Print a list of all available modules the tool supports, alongside a print-out of the available lists (preselected modules that can be chosen)
If a list of available modules is presented, only those modules will be used by the tool. One module can be supplied, or a list separated with a comma (,). An example
This will run timescanner on the current directory and only use the modules evtx, oxml and pdf in the process.
This option can be used to exclude a given module from being run (either a single one or a list, separated with a comma), an example:
This will run the tool against the current directory and use all of the modules available EXCEPT the evtx and exif ones.
There exist few available presets, or lists of available modules that can be used. See the available lists by issuing timescanner -f list. An example
This will run the tool against the directory /mnt/xpimage, and only use the modules that are associated to a Windows XP system, according to the winxp list file.
A comma separated list of files to exclude from the scan. If a particular file has caused the tool to crash or not work, or you simply want to exclude some documents from the scan it is possible to exclude some
Example:
timescanner -f winvista -z local -d /mnt/windows -e 'Windows-Diagnosis,secret[0-3]'
This would scan all the directory /mnt/windows recursively, using only modules associated to a Windows Vista or later operating system, and excluding all filenames that have "Windows-Diagnosis" in them or contain the word secret0/secret1/secret2 or secret3 in it.
Kristinn Gudjonsson <kristinn (a t) log2timeline ( d o t ) net> is the original author of the program.
The tool is released under GPL so anyone can contribute to the tool. Some parts of the code have been copied from other GPL'ed programs, such as RegRipper written by H. Carvey.
log2timeline