EnterpriseSecurity
SecurityProNews
ITmanagement







Construct A Forensic Timeline Of Events Post-Incident

By Taylor Gillespie
Expert Author
Article Date: 2010-09-29

Whether the cause is a malicious insider or a simple ignorant user, when a mishap occurs, understanding exactly what went wrong might not be a easy matter, especially when fault must be found. Often, the problem arises from a series of missteps and not only the last action or command that the user issued.

In these cases, log files are only the start. A more complete history of a user's session would illuminate the root causes and perhaps placement of blame. Recently released Log2timeline provides a means to extract timestamped metadata from a myriad of sources on the system and put that data in chronological order for analysis.

Log2timeline can be a great resource after an incident has happened. Kristinn Gudjonsson designed the program to analyze both a live system or a read-only, mounted, disk image. Along with timescanner, a sister tool to Log2timeline that automates finding and loading timestamped assets, the program can be used to create an accurate timeline of events by mining time-based resources such as browsers' history (IE, Firefox, Chrome, Opera), event log files, bookmarks, EXIF, server log files, office document metadata, pdf metadata, PCAP files from wireshark and tcpdump, Windows prefetch, recycle bin, and restore points, registry, shortcut files, all log files, and of course modified, created, and accessed file timestamps. Along with SleuthKit and others, Log2timeline along with timescanner, you are able to create a "Super Timeline" of what happened on a disk. Needless to say, this tool works as well with Windows machines as it does *nix machines including Mac OSX.

When something goes wrong an accurate timeline of events needs to be constructed in order to fully understand the causes and reasons. Using other open source tools with Log2timeline, an administrator is able to glean timestamps from a variety of typically ignored sources. With Log2timeline, hereto unrecognized sources of timestamped information become viable data in a timeline. An accurate timeline can pinpoint the cause of the problem and help in the recovery of a system, or, in even more dire straits, help your legal team.
About the Author:
Taylor is a Staff Writer for WebProNews

Newsletter Archive | Submit Article | Advertising Information | About Us | Contact

EnterpriseSecurityNews is an iEntry, Inc.® publication © All Rights Reserved Privacy Policy and Legal