This post details the steps on using log2timeline.exe in Windows to log all timings for files/event logs/registry activity on an image.
Linux commands are similar. Just swap .EXE with .PY, and the drive name with the folder in Linux.
You will also need to mount the image in Linux. If you’re using SIFT, refer to https://benleeyr.wordpress.com/2020/05/24/mounting-e01-in-sift/
There are some prerequisites to get or install, see links at the bottom for download URLs:
- Python
- FTK Imager
- log2timeline.exe and psort.exe
- Timeline Explorer
1) Mount image using FTK imager, let’s say on M:
2) Launch cmd or powershell with admin rights
3) cd to folder containing log2timeline.exe and psort.exe
4) log2timeline.exe plaso.dump M:
- plaso.dump is the output file
- M: is the mounted image
5) psort.exe -z Singapore -o l2tcsv -w output.csv plaso.dump
- -z to set the timezone
- -o to output to csv
- -w to set the output file
- output.csv is the output file
- plaso.dump is the input file
6) Load output.csv into Timeline Explorer
7) If your output.csv is too large for Timeline Explorer, you need to narrow down the time in psort.exe
8) psort.py -z Singapore -o l2tcsv -w output.csv plaso.dump “date > ‘YYYY-MM-DD 00:00:00’ AND date < ‘YYYY-MM-DD 23:59:59′”
- -z to set the timezone
- -o to output to csv
- -w to set the output file
- output.csv is the output file
- plaso.dump is the input file
- substitute YYYY-MM-DD with your preferred dates
- You can change the timing too according to HH:MM:SS
Get Python here [download the 2.7.xx version]:
https://www.python.org/downloads/windows/
Get FTK Imager Lite here:
http://marketing.accessdata.com/e/46432/ftkimagerlite3-1-1-download/3w1gdf/1200589364
Get log2timeline.exe and psort.exe here [look for latest release, not pre-release]:
https://github.com/log2timeline/plaso/releases
Get Timeline Explorer here:
https://ericzimmerman.github.io/#!index.md
Information gathered from the following sites:
Ben's IR Notes 