October 11, 2012: log2timeline-0.65-1.{fc14,fc15,fc16,fc17,el5,el6}.noarch.rpm - Log2timeline is a framework for the automatic creation of a super timeline.
Here are the changes in this version:
[UTMP input] New input module parsing utmp/wtmp files in Linux, written by Francesco Picasso.
[SELINUX input] New input module parsing SELinux audit files in Linux, written by Francesco Picasso.
[l2t_process] Renamed to l2t_process_old, being replaced by l2t_process.py from l2t-tools.
[EVTX Library] Fixed a small bug in the code, causing some EVTX file parsing to fail.
[Altiris input] Fixed a small bug when the date is malformed.
[Log2Timeline library] Fixed few bugs:
Small error in the format sort, caused oxml to sometimes be skipped in processing.
[GENERIC_LINUX input] Added a small extra eval sentence.
[LS_QUARANTINE] Fixed a minor bug in the get_time routine, if a database occurs it is caught by an eval sentence.
[TEST] Added few more tests.
[MOST INPUT MODULES] Changed the line my $line = <$fh> or return undef; in most input modules.
[WIN library] Added few more transformations of Windows stored time zones into a "olson" ones understood by DateTime.
[CHROME input] Fixed a small unicode bug in the "File Downloaded" section.
[faersluskra2timalina] Added a new frontend to the tool, exact copy of log2timeline, except all parameters in Icelandic... kinda
[timescanner tool] Removed this frontend from the Makefile since it serves no purpose (as in no longer part of the automatic installation).
June 27, 2012: log2timeline-0.64-1.{fc14,fc15,fc16,fc17,el5,el6}.noarch.rpm - Log2timeline is a framework for the automatic creation of a super timeline.
Here are the changes in this version:
[TESTSUITE] Added the first version of a test suite to the tool.
All tests are located inside the t/ directory.
Tests should be constructed for ALL possible uses of the tool, not limited to:
Raw parsing of logs using input modules.
Correct output for output modules.
Correct output from each function inside modules/libraries.
The first TEST suite is raw and not nearly complete, needs loads of stuff to be 'proper' but it is a start.
[LS_QUARANTINE input] A new input module that parses the LSQuarantineEvents SQLite db in Mac OS X.
[Log2Timeline library] Added the possibility to use a dot (.) in the exclusion list.
Changed the exclusion list so it can be easily changed
Added a call to ->end on each input module if verification failed.
Minor bug fixes in the main engine.
Changed wording when an output module is loaded (from "Loading output file" to "Loading output module").
Added support to detect shortcuts in Windows systems.
Added the "path_orig" to all input modules (making it possible to "fix" paths).
[CHROME input] - Slight changes to the output based on the value of the typed_count variable, also updated the path to the code that describes the transition types.
[SKYPE input] Fixed the verification routine a bit, cleaned it up slightly and fixed a small bug that caused the tool not to include SKYPE data when recursive mode was set on.
Also fixed UTF-8 support, should properly display UTF-8 by now.
[PREFETCH input] Small changes to the verification module.
[WinReg] Fixed a small bug in the code that caused the deleted entries lookup sometimes to loop forever.
[SQLITE output] Changed the way the SQLite code is written considerably, pre-compiling statements to prevent them being compiled for each insert, using transactions
instead of writing them constantly to the DB, and other minor tweaks to make the DB output faster than before (since it was increadibly slow before).
[CHROME input] Small bug to fix UTF-8 support.
[FIREFOX3 input] Small bug to fix UTF-8 support.
[PREFETCH input] Fixed a bug, added a seekdir so that prefetch information is contained within the timeline if recursive is turned on.
[RECYCLER input] Fixed a bug, added a seekdir so that recycler information is contained within the timeline if recursive is turned on.
[LIST files] Added few items into the Windows list files, as well as to create a Mac OS X one.
[MFT input] Fixed a bug with Unicode support.
[RECYCLER input] Fixed a small bug (issue 5) with the path not showing the correct path as indicated by -m TEXT
[SOL input] Fixed a small bug (issue 5) with the path not showing the correct path as indicated by -m TEXT
[EVTX input] Changed the dependencies to Parse::Evtx2 instead of Parse::Evtx (same library, changed the namespace).
Issue when Parse::Evtx was installed on SIFT, causing the tool to first load the library from Schuster, and not the slightly changed one
distributed by the tool, causing the module to not work.
April 23, 2012: log2timeline-0.63-1.{fc13,fc14,fc15,el5,el6}.noarch.rpm - Log2timeline is a framework for the automatic creation of a super timeline.
Here are the changes in this version:
ALL modules/files were run through perltidy using the configuration file of dev/perltidy.conf.
Also several modules have had their documentation updated and code reformed to reflect recent release of a style guide
for the project. perltidy is not enough to enforce that, but at least a start. Rewriting the documentation (pod) is also a vital
portion of making the modules easier to use/understand/develop.
All libraries within the tool and the main API have been rewritten with this in mind, making 'man' documentation considerably
more useful than it was.
[SERIALIZE output] JSON::XS used to serialize the timestamp output, a very simple output module that simply stores
This makes it possible to output using this method and then sorting is simpler since it does not require the module
to read in the csv and change it into something like a hash, since it is already stored as such.
This might become the default output of the tool, and then run l2t_process on that output, turning that into CSV
instead of using CSV as default and trying to filter that output.
This also makes it easier to filter, based on certain attributes, instead of at the line level.
the timestamp object without really doing anything to it. Use that for easy sorting in later stages.
[WIN7 list] Fixed a small bug in Win7 list file (and win7_noreg). The evt module was loaded up and not the evtx one.
[FIREFOX3 input] Added a check to see if the SQlite database contains a -wal or -shm (in addition to -journal)
And if it does, then do the same procedure as if it was a -journal (read-only database that gets copied to a temp location)
This was pointed to me by Svante
[PREFETCH input] Changed the default output so that loaded DLLs are not included by default, unless the -d|--detail
option/parameter is used.
[MFT input] Inside the verification routine a check is made to see if the magic value is FILE0, it should only be FILE.
Fixed that, making the mft module capable of parsing those $MFT files that do not the standard offset to the fixup array.
[SAM input] Changed the handling of SAM database data, it did not properly parse the SAM database file in certain cases
due to the keys being prefilled with the CMI-CREATE....
[NTUSER input] Changed a value check in UserAssist key parsing causing UserAssist keys not properly being parsed.
[WIN_LINK input] The values for mtime and atime got swapped (the correct order is CAM not CMA like it was)
[SETUPAPI input] Added a 'detailed_time' check, to reduce the text inside the alert by default, unless detail option used.
[log2timeline] Updated the man page to reflect updates to the 'detailed_time' changes to setupapi input module.
[WIN library] Added a mapping to map up all Windows use of timezones to the one used in the DateTime library.
[win_sysinfo PreProc] Updated the pre-processing library so that it checks if a known transform of a Windows named
timezone information is available and if it is it will compare it to the chosen timezone (and change it if they differ).
[LOG2TIMELINE] Small bug in the log2timeline library, causing input modules list that has more than one - sign in it
not properly verified.
[IEHISTORY input] Switched time1 and time2, and started to update the module so it adheres to the newly released, not
yet complete, style guide.
[EVTX input] Updated the EVTX library to the latest release, version 1.1.1 (written by Andreas Schuster)
Also changed the 50 attempts to 15 (in case of an error in reading an entry), also only output error
message if debug is turned on.
December 8, 2011: log2timeline-0.62-1.{fc13,fc14,fc15,el5,el6}.noarch.rpm - Log2timeline is a framework for the automatic creation of a super timeline.
Here are the changes in this version:
[FF_CACHE input] New input module, designed to parse the cache files of Firefox. Contributed by John Ritchie
[OPENVPN input] New input module, desigend to parse the OpenVPN log files.
[L2T_PROCESS] Added a few more allowed characters in the keyword list
[proftpd_xferlog input] Willi Ballenthin added a new module to parse the ProFTPD XFerlog file
[Log2Timeline library] Fixed a bug, when the 'all' moduiles option is used (or -f is omitted) no modules get loaded
Added a small change to try to parse the MFT directly even though the $MFT might not be directly visible
Fixed a small bug whereas the tool would crash if the local timezone was used.
Fixed a small bug whereas the tool is not able to find the default directory (. does not exist) or if the file in
question does not really exist that the tool is pointing to... that made the tool return a double error instead of
just dying on the first one.
The tool will now accept a separate output timezone so the tool can output in a different timezone than the hosts one.
[log2timeline] Added the -Z ZONE parameter so the tool can output in a different timezone than the host timezone.
[CSV output] Changed the output timezone so it now prints using the -Z definition, so it now supports different output
timezone than the host one.
[EVTX input] Fixed a bug in where the tool could go into a endless loop in the case where you have a EVTX that is
somehow broken and the function get_next_event dies. If the tool runs into such occurance it returned an empty
timestamp object, that in turn let the tool query for it again, thus possibly getting into an endless loop.
Added a counter so the tool tries to get the next event 50 times, otherwise it will die.
[log2timeline-sift] Moved the mount command out of the script and into the configuration file
Changed the mount command, since there were few errors with the previous one
Added an addional check to see if the $MFT file can be directly called (and if so, skip the icat call)
October 4, 2011: log2timeline-0.61-2.{fc12,fc13,fc14,fc15,el5,el6}.noarch.rpm - Log2timeline is a framework for the automatic creation of a super timeline.
Here are the changes in this version:
Bug fixess
Changes to sqlite output
User contributed new input modules
August 23, 2011: log2timeline-0.60-2.{fc12,fc13,fc14,fc15,el5,el6}.noarch.rpm - Log2timeline is a framework for the automatic creation of a super timeline.
This version removes perl-Parse-Evtx since that is now a separate package.
June 6, 2011: log2timeline-0.60-1.{fc11,fc12,fc13,fc14,fc15,el5}.noarch.rpm - Log2timeline is a framework for the automatic creation of a super timeline.
See /usr/share/doc/log2timeline-0.60/CHANGELOG after the package has been installed. Note that the program glog2timeline has been removed from this release, but may
reappear in the future.
April 14, 2011: log2timeline-0.52-1.{fc11,fc12,fc13,fc14,el5}.noarch.rpm - Log2timeline is a framework for the automatic creation of a super timeline.
This version contains a few bug fixes, new modules, and a new tool called l2t_process. See /usr/share/doc/log2timeline-0.52/CHANGELOG after the package has been installed.
To build and install this package for CentOS, the following Perl modules were installed:
perl-Compress-Raw-Zlib-2.033-1.el5.{i386,x86_64}.rpm - See here for details.
perl-Archive-Zip-1.30-1.el5.noarch.rpm - See here for details.
December 16, 2010: log2timeline-0.51-1.fc{12,13,14}.{i386,x86_64}.rpm and log2timeline-0.51-1.fc11.i386.rpm -
log2timeline is a framework for the automatic creation of a super timeline.
July 6, 2010: log2timeline-0.50.1.fc{8,9,10,11,12,13}.*.rpm - log2timeline is a framework for the automatic creation of a super timeline.
June 22, 2010: log2timeline-0.43.1.fc{8,9,10,11,12,13}.*.rpm - log2timeline is a framework for the automatic creation of a super timeline.
April 5, 2010: log2timeline-0.42.1.fc{8,9,10,11,12}.*.rpm - log2timeline is a framework for the automatic creation of a super timeline.