University of New Haven

Digital Commons @ New Haven

Electrical & Computer Engineering and Electrical & Computer Engineering and
Computer Science Faculty Publications Computer Science

3-2019

Timeline2GUI: A Log2Timeline CSV Parser and Training Scenarios

Mark Debinski
University of New Haven

Parvathy Mohan
University of New Haven

Frank Breitinger
University of New Haven, [email protected]

Follow this and additional works at: https://digitalcommons.newhaven.edu/

electricalcomputerengineering-facpubs

Part of the Computer Engineering Commons, Computer Sciences Commons, and the Electrical and
Computer Engineering Commons

Publisher Citation
Debinski, Mark, Frank Breitinger, and Parvathy Mohan. "Timeline2GUI: A Log2Timeline CSV parser and
training scenarios." Digital Investigation (2018). Volume 28, March 2019, Pages 34-43.

Comments
This is the authors' accepted version of the article published in Digital Investigation. The version of record can be
found at http://dx.doi.org/10.1016/j.diin.2018.12.004
 Timeline2GUI: A Log2Timeline CSV Parser and Training Scenarios

Mark Debinski, Frank Breitinger∗, Parvathy Mohan

Cyber Forensics Research and Education Group (UNHcFREG)
Tagliatela College of Engineering, ECECS
University of New Haven, 300 Boston Post Rd., West Haven CT, 06516

Abstract
Crimes involving digital evidence are getting more complex due to the increasing storage capacities and utilization of
devices. Event reconstruction (i.e., understanding the timeline) is an essential step for investigators to understand a case
where a prominent tool is Log2Timeline (a tool that creates super timelines which is a combination of several log files
and events throughout a system). While these timelines provide great evidence and help to understand a case, they are
complex and require tools as well as training scenarios. In this paper we present Timeline2GUI an easy-to-use python
implementation to analyze CSV log files create by Log2Timeline. Additionally, we present three training scenarios –
beginner, intermediate and advanced – to practice timeline analysis skills as well as familiarity with visualization tools.
Lastly, we provide a comprehensive overview of tools.
Keywords: Log2Timeline, timeline, timestamps, parser, Timeline2GUI, training cases.

1. Introduction convert the timeline (a.k.a. plaso storage file) into

Investigations become more complex due to amounts of
data, connectivity, complexity of systems and encryption
which causes backlogs in investigation bureaus (Quick &
Choo, 2014). As a consequence, examiners use event re-
construction a.k.a. super timeline analysis – an approach
that scans entire systems and combines all log file infor-
mation into a single, comprehensive timeline. While these
timelines are complex (may have millions of events), they
are also a great resource (Chabot et al., 2014) and hard
to manipulate, e.g., a single event like connecting a USB
device usually cause multiple log entries in various files
(Ieong, 2006).
One of the most prominent tools for super timeline cre-
ation is Log2Timeline which is an open source python im-
plementation (details are described in Sec. 2.2). Nowadays
it is also called plaso which is a rewrite of the predecessor
(Gudjonsson, 2010b; Metz, 2017).
Problem Statement. While Log2Timeline is a powerful
tool and can be helpful for investigations, there are cur-
rently major limitations:
1. There is no easy-to-use tool that beginners / investi-
gators can use to analyze a generated timeline. Ac-
cording to our research, a common procedure is to
a CSV file using the psort.py commandline tool and
then import the timeline into an Excel template al-
though there are more powerful tools. Details about
visualization tools are given in Sec. 2.4.
2. During our searches, we did not find free training ma-
terial that allows practitioners to learn and improve
their familiarity with Log2Timeline as well as visual-
ization tools. To the best of our knowledge, the most
utilized source is a Youtube video1 posted by SANS
titled SANS DFIR WebCast - Super Timeline Analy-
sis with over 11,000 views. To counteract, it requires
a set of well documented cases (log files + scenario
descriptions) that everyone can use.
Contribution. We developed Timeline2GUI a standalone
tool written in python (see Sec. 3) that supports the analy-
sis of the CSV timeline (output from Log2Timeline). The
tool is similar to the commonly utilized Excel sheet to
allow an easy transition for practitioners. Additionally,
three sample training cases (see Sec. 4) including solu-
tions were created and are discussed in this article. Lastly,
this article provides a thorough literature review of Digital
Forensics Timeline Analysis including Visualization tools.
2. Related work

∗ Corresponding author. In the following subsections we first briefly talk about

Email addresses: [email protected] (Mark Debinski), timeline analysis in general followed by a more detailed
[email protected] (Frank Breitinger),
[email protected] (Parvathy Mohan)
URL: http://www.unhcfreg.com/ (Mark Debinski), 1 https://www.youtube.com/watch?v=C4jNfXZ90fw (last accessed

http://www.FBreitinger.de (Frank Breitinger) 2018-12-05).

Preprint submitted to Digital Investigation December 26, 2018

description of Log2Timeline. Next, we will highlight other
timeline tools as well as visualization for timelines. The
last subsection summarizes some challenges of timeline
analysis.
2.1. Timeline analysis in general
According to Harrell (2011), “timeline analysis is great
to determine when something has occurred at a certain
time on a system.” Thus, “creating a timeline of the var-
ious events that occurred during an incident is one of the
key tasks performed by a digital forensic practitioner” (Es-
posito & Peterson, 2013). Chandrawanshi & Gupta (2013)
even go a step further and say “logs offer an endless well
of valuable information about systems, networks, and ap-
plications. Through logs, audit records, and alerts, infor-
mation systems often give signs that something is broken
(or ‘broken into’) or will be broken soon.”
From a general perspective, timeline analysis consists of
capturing system and network events and put them in or-
der where events can be anything from file creation, file
deletion, file modification, browser history, file transfers,
account logins, and much more. Some literature differ-
entiates between super, micro and nano / mini timeline
analysis, depending on the amount of logs / events ana-
lyzed. For instance, “there are times when you don’t want
(or need) a super timeline, but instead just want to focus
on one piece of available data, such as Event Log entries or
Registry key LastWrite times” (Carvey, 2011). According
to Carvey (2015), a micro timeline is created from either
limited data sources and parsing a single log file can be
considered as nano / mini timeline analysis. The bene-
fits of small timelines are the runtime efficiency (they are
fast to produce), less overwhelming and easier to analyze.
On the other hand, a super timeline usually captures all
system events2 . A detailed discussion about super time-
line analysis is provided by Esposito (2012) in the article
‘Analysis of Forensic Super Timelines’.
2.2. Log2Timeline & Plaso
Log2Timeline was first introduced by Gudjonsson
(2010b)3 and is a super timeline analysis tool written
in perl. In 2011, plaso was released as a rewrite of
Log2Timeline; plaso being the name of the backend and
Log2Timeline being the frontend. Wiedeman (2016)
wrote “plaso has evolved from a single Perl tool, called
Log2Timeline, to an ‘engine’ that amalgamates a number
of useful forensic processes to produce super timelines.”
Metz (2017) describes it as “a framework that supports
2 Note, capturing all system events is impossible as it requires
hundreds of thousands of different parsers, however, common super
timeline tools include parsers for major events / logs such as browser
history, file creation or system logs.
3 Actually, the first release of Log2Timeline was in 2009 as indi-
cated by the changelog: https://github.com/kiddinn/Log2Timelin
e/blob/master/CHANGELOG
2
adding new parsers or parsing plug-ins, adding new analy-
sis plug-ins, and writing one-off scripts to automate repeti-
tive tasks in computer forensic analysis or equivalent.” An
overview of the parsers is provided in Appendix A. By the
time writing this article, plaso / Log2Timeline is primar-
ily maintained by Joachim Metz and Daniel White (see
Github contribution history4 ) and can be used on MAC
OS, Windows, and Linux.
When Log2Timeline is executed, it creates a plaso stor-
age file (a container for the events / logs / timestamps)
which then can be further processed using tools included
into the plaso framework. The four major tools are:
Log2Timeline: As mentioned Log2Timeline is the fron-
tend. Gudjonsson (2015a) describes it as “a command
line tool to extract events from individual files, recurs-
ing a directory (e.g., mount point) or storage media
image or device. Log2Timeline creates a plaso storage
file which can be analyzed with the pinfo and psort
tools. The plaso storage file contains the extracted
events and various metadata about the collection pro-
cess alongside information collected from the source
data. It may also contain information about tags ap-
plied to events and reports from analysis plugins.”
pinfo: This is a command line tool providing the user with
information about what is stored in the plaso stor-
age file. For instance, it provides information gath-
ered during pre-processing, metadata on each storage
container, the parsers used, the amount of extracted
events or if there are tagged events. For more infor-
mation see Gudjonsson (2015b).
psort: Filtering and sorting the plaso storage file, e.g.,
looking for events that happened during a particular
timeframe, can be done using psort. Additionally, this
allows to convert the plaso file into more common file
formats such as CSV (Metz, 2015). A sample com-
mand to covert the plaso file into a CSV: psort.py
-o l2tcsv -w [CSV file] [Plaso file] A full list
of all output formats is provided in Appendix B.
• The CSV timeline stores 17 fixed fields as listed
in Table 1 (SANS Institutes (2011) cheatsheet).
image export: According to its Github page5 , “im-
age export is a command line tool to export file con-
tent from a storage media image or device based on
various filter criteria, such as extension names, filter
paths, file format signature identifiers, file creation
date and time ranges, etc.”
4 https://github.com/Log2Timeline/plaso (last accessed 2018-
12-05).
5 https://github.com/Log2Timeline/plaso/wiki/Using-image
_export (last accessed 2018-12-05).
 • The Coroner’s Toolkit (grave-robber, mactime)
Table 1: Fields in the CSV file created by psort.py.
Field Explanation • NFILabs Aftertime
date date of when the event occurred
• SIMILE Timeplot
time time of when the even occurred
timezone timezone that was used to call the tool with While we will not discuss these tools in detail, Carbone
MACB Modification, Access, Creation, and Birth & Bean (2011) “provided a short timeline capability for
source source short name such as registry entries are each tool listed [...to] better comprehend their timeline
REG generation capabilities.” Some more information about
sourcetype description of the source
timeline creation and analysis for different tools is also
provided by Chapin (2013).
type timestamp type such as last accessed or last
However, according to Eichelberger (2014), “each of
written
these tools has the capability to generate a timeline based
user what user name is associated with event if
on the information collected from a system. From the
any
above list, Log2Timeline provides the most diverse assort-
host what hostname is associated with entry is ment of artifact information collection currently available
there is one
using an automated straightforward implementation.”
short this contains a short description field where
text is stored 2.4. Visualization of timelines
desc this is where majority of the information that Timelines, especially super timelines, have a large num-
is parsed is stored
ber of events (hundreds of thousands or even millions)
version gives the version number of the timestamp which makes them “difficult to analyse and extremely
inode gives the inode number of the file being problematic to visualise in a manner that is useful” (Har-
parsed greaves & Patterson, 2012).
notes additional storage location for information The most native approaches to analyze the super time-
for some input modules line are commandline tools such as mactime from the
format input module which was used to parse Sleuthkit6 or grep. While these tools are powerful, they
extra parsed information that is joined together are not user friendly and require proficiency. Similarly,
and stored here. All these pieces of examiners may use common text processing tools such
information make up the super timeline that as Excel, Apples Numbers, Wordpad or any other editor
Log2Timeline creates. which may work for small timelines but is cumbersome
for complex ones. Note, a common procedure to ana-
lyze Log2Timeline CSV files is a modified Excel template
2.3. Timeline Creation and Analysis Tools sheet7 that highlights certain events (Weber, 2017).
Besides Log2Timeline, there are other tools available for Coming to general visual tools, one possibility is SIM-
timeline analysis (free and commercial). Carbone & Bean ILE Widgets Timeline8 which creates a horizontal timeline
(2011) “have compiled a representative list of digital foren- that displays logs based on the time they have occurred.
sic software tools and frameworks offering timeline gener- “While this seems like an ideal way to view Log2Timeline’s
ation capabilities in use today by forensic investigators” output, there were many cautions against using this tool
which include when there are more than 200 items as the SIMILE wid-
get loads and operates very slowly”9 (Esposito & Peterson,
• EnCase, FTK 2013). A similar tool, and thus also not favorable for large
timelines, is BeeDocs (Gudjonsson, 2010a) (which is only
• Log2Timeline available for Mac OS).
This last category are specialized tools; particularly
• The Sleuth Kit (ils, fls, mactime), PTK, Autopsy, Fi-
made for forensic timeline analysis, log file analysis or
walk
specifically for Log2Timeine. The most well-known ap-
• Ex-Tip proach might be the ELK stack (Elasticsearch, Logstash

• NTI FileList Pro 6 http://wiki.sleuthkit.org/index.php?title=Mactime (last

accessed 2018-12-05).
• Zeitline (Buchholz & Falk, 2005) 7 https://github.com/riodw/Log2Timeline-TIMELINE_COLOR_TE

MPLATE (last accessed 2018-12-05).

• AnalyzeMFT.py 8 http://www.simile-widgets.org/timeline/ (last accessed
2018-12-05).
• Mac-robber 9 While the original version around 2010 supported the SIMILE

widget, the output format was removed from psort.py (Gudjonsson,

• DFF (Digital Forensic Framework) 2010a).

3
& Kibana). While Log2Timeline supports exporting it to
an Elasticsearch database and there are several tutorials
online, we could only find a few usability reports. Walter
(2016) mentions that he has “been pleasantly surprised at
how easy it is to access timeline data, as well as perform
searches using these tools.” However, he misses “about
the Excel process is the highlighting that visually called
attention to items of interest.” Furthermore, it also re-
quired some time to set up the complete system as well
as needed some practice. The second tool is CyberForen-
sics TimeLab (CFTL10 ) by Olsson & Boldt (2009) which
shows a promising GUI however it does not seem to be
maintained anymore - the last Github upload was over 6
years ago. On the other hand, it requires an XML file
which is not supported by Log2Timeline anymore.
Timesketch is the third visualization possibility for
Log2Timeline which is “an open source tool [... that was]
designed to make collaboration, sharing and search easy as
well as quickly correlate disparate events” and is mainly
developed by Berggren et al. (2018) (most Github contri-
butions).
Given that there is only limited information about the
tool, the following assessment is based on our experiences
using it. According to Timesketch’s Github page, it of-
fers three different types of installation: Install Times-
ketch manually, using docker or using Vagrant. The first
attempt to use Timesketch on Windows 10 was trouble-
some as there are only instructions for Linux. The next
option was to use Vagrant where we identified some com-
plications when being used on Windows. The last option
did not work as well since Docker only works on Windows
10 Pro Operating Systems. After switching to Mac OS,
the Vagrant installation method worked smoothly. The
installation process was simple as instructions were pro-
vided but it was time consuming.
Once installed, Timesketch has various features such as
filters (e.g., set any time range they want to view) or charts
(e.g., user has a option to see a heatmap or a histogram).
Both options allow the user to see the timeline from differ-
ent angels. In addition, Timesketch allows users to ‘star’
(similar to a e-mail flag) any logs which indicates a higher
importance. Logs in Timesketch are also similarly high-
lighted like those in Timeline2GUI. While using TimeS-
ketch, it was noticed that loading large CSV files took a
long time for the program to process.
To sum it up: while the GUI is very similar to Time-
line2GUI, Timesketch has more functionality but the in-
stallation is more complex and performance seems slower
for large timelines.
Lastly, there is Evidence Fetcher (efetch) a web-based
file explorer, viewer, and analyzer for timelines created by
Maurer (2016). Similar to CFTL, it looks like a promising
environment but seems not maintained as there was only
few commits since October 2016.
10 https://github.com/jensolsson/CFTL
05).
To summarize: there are several tools for timeline anal-
ysis however several are outdated / not maintained any-
more. The two most promising approaches are Timesketch
and ELK Stack which come with a lot of functionality but
also require configuration; they are not as straightforward
to use as Timeline2GUI.
2.5. Challenges of Timeline analysis
There are several challenges of timeline analysis mainly
discussed by Hargreaves & Patterson (2012) and Chabot
et al. (2015). Both articles stress that it is difficult to
analyze the large number of events (e.g., can be several
million ‘low-level’ events) and problematic / important to
visualize the information.
To support investigators, Hargreaves & Patterson (2012)
“propose a technique that can automatically reconstruct
high-level events (e.g. connection of a USB stick) from
this set of low-level events.” While their evaluation shows
promising results and reduces the complexity / informa-
tion overload of super timelines, the Python Digital Foren-
sic Timeline (PyDFT) utilizes its own parser framework
to extract events which replicates much of Log2Timeline.
Thus, it is irrelevant for individuals using Log2Timeline.
Chabot et al. (2015) identified three major problems
(volume, heterogeneity, and legal requirements) with event
reconstruction and present seven necessary criteria (ad-
dressing the problems) that an efficient reconstruction tool
must meet. With respect to volume, the authors argue
that “many tools do not offer an intuitive interface but
only a query tool that appears to be a powerful but com-
plex and tedious way to access the information. This is
the case of approaches using databases and providing a
SQL query interface which is efficient but not intuitive for
an untrained user.” In detail, they propose the following
three requirements:
1. Automation to reconstruct and analyze timelines and
certain tasks that become too complex to be carried
manually.
2. Visualization tools that highlight relevant informa-
tion; guide investigators to interpret, analyze and
draw conclusions.
3. Efficient browsing of the data in a clear and intuitive
way.
With respect to heterogeneity, the authors stress that
information is spread throughout systems and it is impor-
tant to consider a broad variety of different sources. For
legal requirements, “the challenge is to ensure that the re-
sults are admissible in a court of law.” Note, given that
Timeline2GUI is only a visual frontend, the requirements
proposed for heterogeneity and legal requirements are less
relevant.
Based on their identified criteria, they present a three-
layered ontology, called ORD2I including several scripts
to support investigators. However, their implementations
(last accessed 2018-12- suffer performance issues: it takes about 3h to process
20,000 entries (which is a very small timeline).
4
3. Timeline2GUI Tool
Timeline2GUI is a graphical frontend that can read
CSV files generated by Log2Timeline and supports their
analysis. The goal was to make the parsing (reading) of
the log files straightforward for the end user. The GUI
is kept simple and is based on the Excel sheet which
is widely used11 . A screenshot can be found in Fig-
ure 1. Timeline2GUI can be download from Github:
https://github.com/parvathycec/Timeline2GUI.
With respect to the previously mentioned requirements,
Timeline2GUI highlights relevant information which can
also be easily changed by a user (details see Sec. 3.1). For
efficient browsing, we implemented two views (see Fig. 1) .
Reduced view is a summary of major events, i.e., it shows
all highlighted events; detailed view shows the full time-
line. To switch from reduced to detailed view, one can
use the index column. Our tool currently does not have
any automation to keep it simple but more importantly
performant.
3.1. Functionality
Timeline2GUI Version 1.0 allows loading a CSV file
by clicking the ‘Select CSV File’ button. Next, the ap-
plications allows the user to filter the logs before actu-
ally loading them where filtering requires a date range
(in the format YYYY-MM-DD HH:MM:SS), e.g., date
> ‘2017-03-16’ and date < ‘2017-03-17’. Option-
ally, one can add a time to make it even more pre-
cise, e.g., date > ‘2017-03-16 12:34:56’ and date <
‘2017-03-17 10:10:10’. Once loaded, Timeline2GUI
has an easy-to-use search functionality to look for a spe-
cific keywords which can be accessed by clicking the search
button. Filtering or searching will only change the view
but not delete / modify the loaded CSV file. Thus, a user
can always revert to the complete timeline by pressing the
load data button.
To support investigations, Timeline2GUI highlights log
entries which could be relevant and thus makes skimming
the timeline easier. Specifically the following highlighting
is done where the logic is copied from the Excel template:
Green indicates that a file may have been opened or cre-
ated.
Yellow shows that the event is related to web activity.
Blue indicates that an external device (e.g., USB stick)
has been mounted / interacted with the system.
Red means some sort of execution was done on the system
like a application was started.
Magenta highlighting indicates files that have been
deleted.
11 https://github.com/riodw/Log2Timeline-TIMELINE_COLOR_TE
MPLATE (last accessed 2018-12-05).
5
Grey highlights indicate logs like for example firewall
logs.
Note, color settings are stored in a configuration file and
can be changed (details are in the next section). After the
desired results are found, our tool can store the filtered
logs into a new CSV file.
3.2. Implementation
Timeline2GUI is written in Python 3.6 and utilizes 3
major libraries: (1) Tkinter, (2) Pandas, and (3) Pan-
dastable (developer version12 ). The data from the CSV file
is imported to a Pandas DataFrame. Pandas DataFrame
is an efficient data structure to store data from a spread-
sheet and provides powerful data operations like filtering
or searching. The pandastable library provides a table
widget for Tkinter with plotting and data manipulation
functionality. It uses pandas’ DataFrame class to store ta-
ble data. Hence, we have used this combination of libraries
to display and manipulate data from CSV files. The oper-
ations performed by the tool are as follows:
1. Filter the data based on column values: If a query is
given in the filter value text field, only the rows of the
CSV file which satisfies the query will be displayed.
The DataFrame.query(query) function is used to filter
the data. Query supports operators like >, <, == etc.
2. Sort column values: This feature allows the user to
double click on the column header to sort the column
values in ascending/descending. This feature was in-
tegrated with pandastable table widget.
3. Free text search: This feature allows a user to search
for a string anywhere in the CSV data. Pandas
DataFrame provides a ‘contains’ function to check if
the given string is in any of the column / row.
4. Highlight rows in the table widget: The user can
configure automatic highlighting in highlights.txt
which helps finding certain events faster. The file ac-
cepts one setting / entry per line, e.g.,
*=CONTAINS=USB=#1E00FF
short=ENDS=.lnk=#92D051
where each entry consists of four parts separated by
the equal sign (=). The first part is the column name
which can be one particular column (e.g., short) or *
which indicates any column. The second parameter
is the comparison operator which can be STARTS,
ENDS, EQUALS or CONTAINS (indicating how the
string will be searched). Third is the keyword we are
looking for which can contain spaces or other spe-
cial characters except the equal sign. The last option
is the color code. Consequently, the two lines above
mean:
12 http://pandastable.readthedocs.io/en/latest/ (last ac-
cessed 2018-12-05).
Figure 1: Screenshot of our Timeline2GUI application with a CSV loaded. The image in the background shows the reduced view and the
image in the foreground shows the detailed view. The index column in the reduced view and be used to find the corresponding section in the
detailed view.
• Highlight any row in blue (hex code #1E00FF)
that contains the string ‘USB’.
• Highlight any row in green (hex code #92D051)
where the string in the short-column ends with
‘.lnk’.
Note, keywords are case insensitive. To highlight
multiple keywords with the same color, one may
add another entry with the same color code, e.g.,
*=CONTAINS=SanDisk=#1E00FF.
5. Save the displayed data to a CSV file: Pandas
DataFrame contains a method to csv(filename, index,
encoding) to save the current displayed information to
a CSV file.
self.current_data.to_csv(filename,
index=False, encoding=‘utf-8’);
3.3. Testing
Given that Timeline2GUI only changes the representa-
tion of the timeline (from CSV to Python/Pandas), testing
was primarily accomplished by using the tool for solving
the training cases. Specifically, we focused on making sure
that query filtering was working properly and that the dis-
played information was correct.
4. Sample Training Cases
In total, three cases were developed which rank
from beginner over intermediate to advanced. The
6
timelines in CSV format can be downloaded from
https://www.fbreitinger.de/wp-content/uploads
/2018/08/Timeline2GUI_training_cases.zip.
For each scenario, we have brief background stories
which describe the scenario and can be passed to a user
/ student / practitioner; these will set the expectations
/ baseline. Next, we describe the setup, i.e., some more
technical details on how the scenario was created. Lastly,
we present the solution for each case using Timeline2GUI
(detailed view). Before presenting the details about the
training cases, we summarize our overall apparatus.
Note, the CSV timelines are independent from Time-
line2GUI and can be used with any other tool capable of
parsing Log2Timeline CSV files.
4.1. Training cases setup
To create super timelines for the training cases,
Log2Timeline was installed on MAC OSX and multiple
virtual machines (VirtualBox) running Microsoft Win-
dows 7 were created. Each VM was then prepared as
discussed in the corresponding subsections (see 4.2.2, 4.3.2
and 4.4.2). After creating the cases, we extracted the time-
lines running the following command: Log2Timeline.py
scenario1.plaso scenario.vhd which creates a plaso
file named ‘scenario1.plaso’ from the virtual hard disk
(vhd). In a final step, we executed psort to con-
vert the plaso file into the CSV format. The com-
mand used was psort.py -o l2tcsv -w scenario1.csv
scenario.plaso. The procedure was repeated for all
three cases.
For the second scenario, we additionally created logs
for a USB device which is part of the case. There-
fore, we first mirrored the USB device using sudo dd
if=/dev/disk2 of=/Users/Desktop/USBDrive.dd and
then proceeded as before running (Log2Timeline.py
USBDrive.plaso USBDrive.dd) followed by psort.py -o
l2tcsv -w usb2sen.csv USBDrive.plaso.
4.2. Case I - Beginner
The beginner case simulates a computer crime that oc-
curred to an office employee. The following three subsec-
tions include the case description, the setup and lastly the
solution, respectively.
4.2.1. Case description
Hannah, an employee for a midsize company, received an
email from the IT-Administrator containing a password in
an attached word file. Hannah downloaded the file called
‘password.rtf’ from her Gmail account and stored it into
a folder called ‘secret’ on the desktop (directory). After
downloading and storing the file, Hannah continued brows-
ing on the Internet before she walked away from her work-
station to answer a phone call on her cellphone.
A few days later Hannah believes someone stole the
password that was given to her in the email because she
received a notification of a login attempt. Hannah told the
IT department that she believes the file was stolen from
her computer while she was on the phone. The phone logs
indicate that the call was on 2018-02-29 at 21:10:00 and
only lasted for 5 minutes. Hannah is unsure if she locked
the computer when she left it. Can you help to figure out
what happened?
4.2.2. Setup
The scenario was created within a 1 - 2 hour span on
the virtual machine. Google Chrome was downloaded and
set up so Gmail can be accessed in order to download the
password file. Specific directories were set up throughout
the virtual machine that were used to store files. A USB
drive was utilized to copy the secret folder from the com-
puter (the USB device / timeline is not available).
4.2.3. Solution
To solve the scenario, Timeline2GUI was used to parse
and search the log files. The key elements from the descrip-
tion are: date and time, password.rtf and secret folder.
Note: we provide the line numbers where a particular
event was found. Although they should be identical if you
follow our solution, there might be minor changes.
1. In the filter columns bar the query (date > ‘2018-03-
29 21:00:00’ and date < ‘2018-03-29 21:15:00’) was
entered to reduce the timeline to the relevant time
frame. We used a longer time frame (15 min) in case
the device time was not synchronized.
7
2. Next, we utilized the search bar text field to look
for ‘secret’ (this allows us to get closer to the actual
event).
3. Under the refreshed results log number 0 shows that
the ‘secret’ folder was created at 21:02:12.
4. Log number 13 shows content modification because
the file ‘password.rtf’ was created in the ‘secret’ folder
at 21:03:46.
5. Log number 31 shows that the ‘secret’ folder was ac-
cessed at 21:05:04 which is highlighted in green (this
flow coincides with Hannah’s description).
6. Due to the ‘secret’ folder being last accessed at
21:05:04, changing the query (filter column) to (date
> ‘2018-03-29 21:05:00’ and date < ‘2018-03-29
21:15:00’) will eliminate older logs.
7. Next, we continued scrolling until we found lines high-
lighted in yellow indicating browser / Internet activity
(around line 2575 at 21:08:55). This is when Han-
nah walked away from the computer to answer the
call (update filter to date > ‘2018-03-29 21:08:55’ and
date < ‘2018-03-29 21:15:00’).
We now know the exact time and can focus on what hap-
pened which is the more challenging part. Timeline2GUI
is set up to color events automatically, e.g., web activity,
prefetch files, etc. While our solutions are based on the
detailed view, we advice to start with the reduced view
and focus on those events.
8. Scrolling down further reveals a line marked blue (line
255) which means USB activity. Specifically, a San-
Disk USB drive was plugged in at 21:10:14.
9. Line 397 is marked red which shows a WinPrefetch13
log at 21:10:31. This indicates that WUDFHOST.exe
was executed on the system. WUDFHOST.exe is a
process used by windows to load drivers and to com-
municate with hardware devices14 .
10. Line 447 indicates another WinPrefetch log that oc-
curs at 21:10:41 (marked red) which points to EX-
PLORER.EXE. Usually EXPLORER.EXE is exe-
cuted from the GUI when a user opens or writes to
drives and folders15 .
11. At 21:14:31 there is the next Google Chrome activity
which is an indicator that Hannah returned to her
device.
To summarize the results: it looks like Hannah did not
lock her device after she left her PC and someone plugged
in a USB dongle (SanDisk) and performed some actions.
Although there is no clear indication in the log files that
the secret folder / file was copied onto the USB (this would
13 According to McQuaid (2014), Windows operating systems cre-
ate prefetch files when applications are executed on the system.
14 http://www.processlibrary.com/en/directory/files/wudfho
st/78364/ (last accessed 2018-12-05).
15 http://www.processlibrary.com/en/directory/files/explor
er/24746/ (last accessed 2018-12-05).
be found only on the USB device), someone clearly ac-
cessed the device while she was on the phone. Thus, mak-
ing the assumption that the folder / file was stolen is com-
pelling.
4.3. Case II - Intermediate
The intermediate scenario is a case where illegal files
have been downloaded.
4.3.1. Case description
Bob is a suspect to police for downloading illegal files
from ‘DropBox’. Police apprehended a warrant and ex-
ecuted it on 2018/04/06 to seize any electronic devices
in his house. Authorities collected multiple devices that
belonged to Bob to find evidence that was downloaded.
Investigators examined all the devices collected and nar-
rowed it down to a computer and a USB drive. The com-
puter did not contain any downloaded files; the USB drive
has a file named secrets file which cannot be accessed /
opened. Investigators believe that it is encrypted because
VeraCrypt was found on the device. Note: Police records
indicate that the files were downloaded on 2018/04/05.
4.3.2. Setup
The scenario was created within a 2 day span on the
virtual machine. We accessed the DropBox website and
downloaded content using direct links. Additionally, we in-
stalled VeraCrypt on the system and created an encrypted
container which contains the downloaded files. A USB
drive was utilized to store the encrypted container (moved
from the PC to the USB device).
4.3.3. Solution
The information used to solve this case was from the
police reported which provides details on what to analyze
(e.g., the existence of the secret files).
1. Given the information from the case description, we
used the following filter (date > ‘2018-04-05 00:00:00’
and date < ‘2018-04-06 23:59:59’) to narrow down re-
sults. Subsequently, we searched for ‘dropbox’.
2. The refreshed logs reveal ‘Classified.rtf’, ‘TopSe-
cret.rtf’, and ‘EvidenceTopSecret.png’ in lines 232,
240, 260, respectively, which were downloaded be-
tween 23:04:28 and 23:07:04 on 2018-04-05. The logs
are highlighted in yellow (webhist) which was how we
identified them.
3. Knowing the time range and file names, we re-
moved the ‘dropbox’ filter (which brings us back to
(date > ‘2018-04-05 00:00:00’ and date < ‘2018-04-06
23:59:59’)) and then searched for ‘download’.
4. Lines 147 to 154 (yellow) show that VeraCrypt was
downloaded at 14:18:48 on 2018-04-05.
5. In a next step we narrowed down the time range to
(date > ‘2018-04-05 23:07:05’ and date < ‘2018-04-
06 23:59:59’) which hides all activities that occurred
8
prior to downloading ‘EvidenceTopSecret.png’ (com-
pare item 2). The yellow line 3053 at 22:18:35 then
revealed that Bob had visited a website that gives the
user a beginners tutorial on how to use VeraCrypt.
This coincides with the investigator’s assumption that
VeraCrypt may have been used.
6. Next, we set (date > ‘2018-04-06 22:18:36’ and date
< ‘2018-04-06 23:59:59’) to focus on the time after
the VeraCrypt tutorial was searched. The red line
1075 shows that VERACRYPT FORMAT.EXE was
executed.
7. Going down a bit further to line 1161 shows that a se-
cret files was created (note the log entry can be both
file or folder creation). Explanation: The ‘short’ col-
umn of the log states USB REASON FILE CREATE
which means that a file or directory was created for
the first time16 .
8. About 200 entries later, line 1361 indicates
that secret files has been overwritten and the
file’s basic information was changed. According
to Microsoft16 , USN REASON DATA OVERWRITE
means that data has been changed in the file / di-
rectory and USN REASON BASIC INFO CHANGE
means that a user may have changed the file / direc-
tory attributes or timestamps.
9. Subsequently, logs 1372 to 1380 show that
the downloaded files TopSecret.rtf, Classi-
fied.rtf, and EvidenceTopSecret.png had secu-
rity changes. Explanation: The logs showed
USN REASON SECURITY CHANGE which means
that access permissions have been changed to the file
or directory16 .
10. Logs 1383, 1385, and 1386 which occur at
23:20:51 on 2018-04-06 show that the three
files were deleted from the system (logs show
USN REASON FILE DELETE16 ).
Summarizing all the logs / events, one may assume that
the suspect created a container using VeraCrypt named
secret files and copied the files into it. Afterwards, the
suspect deleted the files off the device.
11. The blue log 1430 (22:36:09 on 2018-04-06) shows
the first indication that a USB Drive was plugged in
the computer followed by some WinPrefetch activity
in log 1448 at 22:36:25 (red) which shows that EX-
PLORER.EXE was executed (e.g, to allow Bob to ac-
cess the files on the USB device). Next, log 1455 shows
another WinPrefetch log loading WUDFHOST.exe
(recall: this is the process to load drivers and com-
municate with hardware devices).
12. Continuing searching for evidence, we can see the red
log 1531 which states that VeraCrypt was executed
again on the system at 22:37:14.
16 https://docs.microsoft.com/de-de/windows/desktop/api/
winioctl/ns-winioctl-read_usn_journal_data_v0 (last accessed
2018-12-05).
13. The USN REASON BASIC INFO CHANGE value
is shown for the secret files container in log 1549
(22:37:19). This means that there is some type of
activity with the file shortly after VeraCrypt was ex-
ecuted. Logs 1665 and 1666 indicate that something
was deleted shortly after the secret files folder was
being modified (one can only see that something was
deleted but there is no proof that it was the files down-
loaded).
The final step is to load the usb2sen.csv into Timeline2GUI
which is the log file for the USB Drive. Due to small
timeline, no filter is required.
14. Log 40 at 22:37:33 shows that the secret files was cre-
ated on the USB.
In summary, the logs support the assumption that Vera-
Crypt was executed and ‘secret files’ was created. Fur-
thermore, we saw that security changes were made to all
downloaded files before they were deleted. Next, a USB
Drive was connected where the USB logs showed that se-
crets files was created around the same time. Once the file
was moved to the USB, the secrets file was deleted from
the system. To conclude, there is a high chance that the
files are located in the secrets files container on the USB
dongle. However, in order to be 100% certain, one would
have to open the encrypted container or see if the files can
be recovered (e.g., file carving).
4.4. Case III - Advanced
The advanced scenario is a case where a suspect’s com-
puter is seized, and then evidence is found that the suspect
was stealing credit card information but the suspect claims
s/he innocent.
4.4.1. Case description
Alice received a phone call from a person trying to steal
her credit card information. Fortunately she was prepared
and did not fall for the scam but contacted the police and
provided the phone number that called her. The police
tracked down the cellphone owner to be a person by the
name Fred who was arrested on April 19th. Fred claims
that he did not steal credit card information nor wanted
he to sell them on the dark web. To the contrary, he claims
that it was the previous owner from whom he purchased
the computer and phone on April 4th. While seizing the
computer, the machine was still running and the officers
noticed that a TOR browser was open and that ‘setMACE’
was downloaded successfully.
4.4.2. Setup
The scenario was created over a 4 day span and is 34 GB
in total (compared to the previous 8 GB images). Our
intention was to create a more realistic and comprehen-
sive case. Avast Internet Security was installed and secu-
rity scans were executed periodically once a day (increased
9
number of log entries). Additionally, TOR was installed
for accessing the dark web as well as Google Chrome for
regular browsing. Lastly, setMACE, which is an anti-
forensic tool that allows to tamper with timestamps, was
installed but never executed17 . Several files and directories
were set up throughout the virtual machine.
4.4.3. Solution
Based on the case description, we know that the Fred
is accused of credit card fraud / scam and that the police
arrested the suspect on April 19, 2018. Given that our
initial filter will look at a wide range of events: (date >
‘2018-01-01 00:00:00’ and date < ‘2018-04-20 23:59:59’).
1. We started by searching terms like scam, credit and
fraud which revealed several entries. Logs 0 to 2 in-
dicate that a ‘credit card info’ file was created on
the system at 14:31:00 on 2018-04-05 (lines are high-
lighted).
2. Having a better idea about the timeframe, we ad-
justed the filter to (date > ‘2018-04-05 14:20:00’ and
date < ‘2018-04-20 23:59:59’). The aforementioned
creation of the file can now be found in logs 2389 and
2390.
3. While scrolling, two more green lines caught our at-
tention: ‘phone numbers.rtf’ in line 2405 at 14:33:16
on 2018-04-05 followed by ‘Call Instructions’ (line
2671 at 14:36:16). Note, the files are included and
can be analyzed as well.
4. Next, we looked for modifications of the files. There-
fore, re-searching ‘credit’ revealed several logs ranging
from 2018-04-06 to 2018-04-19 which indicate that the
credit card info file was modified (e.g., maybe cause
of adding new credit card details). The logs are high-
lighted in yellow and green.
Having a look at these 3 files (provided in the sce-
nario.zip file) reveal that ‘phone numbers.rtf’ contains a
list of phone numbers which was utilized by the ‘Call In-
structions’ pseudo script to call the individuals. If success-
ful, the data was stored in ‘credit card info’.
Given that the logs prove that the files had been created
after April 4th (the date the machine was purchased), it
is unlikely that the previous owner was involved. Moving
forward, the investigator can focus on the question if the
suspect attempted to sell the information (charge him with
attempting to sell stolen property).
6. To analyze web activity, we filtered for (source
== ‘WEBHIST’) which returns what the user had
searched / visited on the Internet.
7. One will find setMACE in log 4832 (on 2018-04-12
at 23:00:23; highlighted yellow) and a hint for TOR
17 While there were several attempts to execute it, it never actually
run.
 browser in log 5013 (on 2018-04-19 at 23:04:10; high-
lighted yellow)18 .
8. We then went back to the complete range (date
> ‘2018-04-05 14:20:00’ and date < ‘2018-04-20
23:59:59’) and searched for ‘setMACE’.
9. Log 36 to 54 (on 2018-04-10 at approximately 14:34)
show that setMACE was downloaded onto the com-
puter.
10. Continuing scrolling, logs 300 and 338 allows to con-
clude that setMACE was executed on the system.
Both of execution happened on 2018-04-19 (high-
lighted in red).
11. As a next step we focused on TOR since the browser
was active when seizing the machine. Therefore, we
searched for TOR and TorProject which led us to
2018-04-19 at 23:04:32 – TOR was downloaded.
12. Focusing on the final 2 days before the device was
seized, the results revealed that Fred searched for how
to access the dark web on 2018-04-19 at 23:03:24.
A few seconds later (23:03:55) we can see that he
searched for how to sell information online.
13. There were no identifiers / logs that the user actu-
ally accessed the dark web or sold information but he
certainly informed himself.
14. Lastly, we had a second look at setMACE again where
we focused on the last day. Under the refined results,
logs 17, 23, 37, 42, 50, 55, 69, 82, 87, 98, 106, 114, and
multiple more logs indicated that setMACE failed to
run on the system. This is an indicator that setMACE
was not executed correctly on the system by the user
and it is likely that nothing was manipulated.
15. The save CSV button was pressed and all the logs for
2018-04-19 were saved because it was within that time
frame where the majority of the actions happen.
To conclude this scenario: Some evidence was found on
the device (e.g, telephone numbers, credit card numbers
as well as a script for calling individuals) indicating that
the machine was used for illegal activities. All logs imply
that the activities happened after April 4th (the date the
machine was purchased). Even though a timestamp ma-
nipulation tool (setMACE) was found, the timeline seems
unaltered and does not contain any outliers. The existence
of TOR and the search history show an intent to sell in-
formation but there is no evidence that it was sold or for
accessing the dark web.
5. Conclusion and future work
Reading / parsing CSV files is straightforward and sev-
eral tools exist (e.g,. Excel, Apples Numbers). However,
research stresses the importance of dedicated tools that
support investigators to do fast filtering and allow efficient
18 Note, we scrolled through and looked at it line by line but espe-
cially for highlighted lines.
10
browsing (e.g., highlighting improves the user experience
and eventually accelerate the process).
This worked presented an easy-to-use parser for CSV
timelines (created with Log2Timeline) named Time-
line2GUI as well as three training cases – beginner, in-
termediate and advanced – including detailed descriptions
of the setup and solutions. The layout and highlighting
capabilities of Timeline2GUI are based on the well-known
Excel sheet. However, our tool comes with two views (re-
duced view and detailed view), an enhanced filtering mech-
anism and is more straightforward to use. Additionally,
our python tool is open-source and thus can be extended.
We developed three training cases that are freely avail-
able, independent from our implementation and can be
used to improve investigator’s timeline analysis skills by
either using Timeline2GUI, the Excel sheet or any other
tool. Our scenarios range from from 8 GB to 34 GB which
can be seen rather small compared to the real world sce-
narios. The timelines (logs) are available for download (see
Sec. 4); one possible solution path per case was provided
in this article.
As indicated by our solutions, highlighting certain
events (e.g., file creating, web history or prefetch files) cer-
tainly helps to find interesting / relevant events. However,
in order to understand the complete case, an investigator
also has to be familiar with computer / operating system
events and may still have to look at x-thousand logs to find
a clue. For instance, it is important to be familiar with
system events, e.g., what are the implications if a prefetch
log event occurs or if WUDFHOST.exe is run. In case of
beginners, it may be helpful to create a cheat sheet that
contains the log event and a brief explanation on its impli-
cation. Overall, reviewing the 3rd scenario took about 4-5
hours using Timeline2GUI (although we created the case).
It would have taken longer when looking at the plain text
using a regular text editor.
Timeline analysis is a powerful technique to understand
what happened to a system or device. However, it is not
trivial and can be very time consuming. In the future,
we want to further improve Timeline2GUI to hopefully
speed up the process, e.g., by removing irrelevant events,
or combining events. In a first step, we will explore if we
can use techniques from approximate matching combine
similar events (Breitinger et al., 2014).
References
Berggren et al. (2018). Timesketch. https://github.com/google/
timesketch.
Breitinger, F., Guttman, B., McCarrin, M., Roussev, V., & White,
D. (2014). Approximate matching: definition and terminology.
NIST Special Publication, 800 , 168.
Buchholz, F. P., & Falk, C. (2005). Design and implementation of
zeitline: a forensic timeline editor. In DFRWS .
Carbone, R., & Bean, C. (2011). Generating Computer Foren-
sic Super Timelines under Linux: A Comprehensive Guide for
Windows-based Disk Images. Technical Report Defence Research
and Defence Canada-Valcartier Quebec, Quebec.
Carvey, H. (2011). Howto: Creating mini-timelines. https://wind Appendix A. Log2Timeline parsers
owsir.blogspot.com/2011/09/creating-mini-timelines.html.
Carvey, H. (2015). Micro & mini-timelines. https://windowsir.bl
ogspot.com/2015/04/micro-mini-timelines.html.
Chabot, Y., Bertaux, A., Nicolle, C., & Kechadi, M.-T. (2014). A Below is a list of all available Log2Timeline /
complete formalized knowledge representation model for advanced plaso parsers which we received by running the
digital forensics timeline analysis. Digital Investigation, 11 , S95– log2timeline.py --help in the Terminal.
S105.
Chabot, Y., Bertaux, A., Nicolle, C., & Kechadi, T. (2015). An
ontology-based approach for the reconstruction and analysis of ***************************** Parsers *****************************
digital incidents timelines. Digital Investigation, 15 , 83–100. Name : Description
Chandrawanshi, R., & Gupta, H. (2013). A survey: Server time- -------------------------------------------------------------------
line analysis for web forensics. International Journal of Scientific amcache : Parser for Amcache Registry entries.
Research Engineering and Technology (IJSRET), 1 , 017–021. android_app_usage : Parser for Android usage-history.xml files.
asl_log : Parser for ASL log files.
Chapin, B. (2013). Timeline Creation and Analysis Guides. Tech- bash : Parser for Bash history files
nical Report Senator Patrick Leahy Center for Digital Investiga- bencode : Parser for bencoded files.
tion (LCDI). https://www.champlain.edu/Documents/LCDI/Tim binary_cookies : Parser for Safari Binary Cookie files.
eline_Creation_and_Analysis_Guides.pdf. bsm_log : Parser for BSM log files.
Eichelberger, F. (2014). Automation of report and timeline-file based chrome_cache : Parser for Chrome Cache files.
chrome_preferences : Parser for Chrome Preferences files.
file and url analysis. Interested in learning more about cyber se- cups_ipp : Parser for CUPS IPP files.
curity training? SANS Institute InfoSec Reading Room, . custom_destinations : Parser for *.customDestinations-ms files.
Esposito, S., & Peterson, G. (2013). Creating super timelines in win- dockerjson : Parser for JSON Docker files.
dows investigations. In IFIP International Conference on Digital dpkg : Parser for Debian dpkg.log files.
Forensics (pp. 135–144). Springer. esedb : Parser for Extensible Storage Engine (ESE)
database files.
Esposito, S. J. (2012). Analysis of forensic super timelines. Technical
filestat : Parser for file system stat information.
Report Air Force Inst Of Tech Wright-Patterson AFB OH School firefox_cache : Parser for Firefox Cache version 1 files
Of Engineering And Management. (Firefox 31 or earlier).
Gudjonsson, K. (2010a). Mastering the super timeline - log2timline firefox_cache2 : Parser for Firefox Cache version 2 files
style. https://digital-forensics.sans.org/summit-archives/ (Firefox 32 or later).
2010/eu-digital-forensics-incident-response-summit-krist fsevents : Parser for fseventsd files.
java_idx : Parser for Java WebStart Cache IDX files.
inn-gudjonsson-mastering-the-super-timeline.pdf. lnk : Parser for Windows Shortcut (LNK) files.
Gudjonsson, K. (2010b). Mastering the super timeline with mac_appfirewall_log : Parser for appfirewall.log files.
log2timeline. Technical Report. https://www.sans.org/summit-a mac_keychain : Parser for MacOS Keychain files.
rchives/file/summit-archive-1493923574.pdf. mac_securityd : Parser for MacOS securityd log files.
Gudjonsson, K. (2015a). Using log2timeline. https://github.com/l mactime : Parser for SleuthKit version 3 bodyfiles.
macwifi : Parser for MacOS wifi.log files.
og2timeline/plaso/wiki/Using-log2timeline. mcafee_protection : Parser for McAfee AV Access Protection log
Gudjonsson, K. (2015b). Using pinfo. https://github.com/log2tim files.
eline/plaso/wiki/Using-pinfo. mft : Parser for NTFS $MFT metadata files.
Hargreaves, C., & Patterson, J. (2012). An automated timeline re- msiecf : Parser for MSIE Cache Files (MSIECF) also
construction approach for digital forensic investigations. Digital known as index.dat.
olecf : Parser for OLE Compound Files (OLECF).
Investigation, 9 , S69–S79.
openxml : Parser for OpenXML (OXML) files.
Harrell, C. (2011). What’s a timeline. http://journeyintoir.blog opera_global : Parser for Opera global_history.dat files.
spot.com/2011/09/whats-timeline.html. opera_typed_history : Parser for Opera typed_history.xml files.
Ieong, R. S. (2006). Forza–digital forensics investigation framework pe : Parser for Portable Executable (PE) files.
that incorporate legal issues. digital investigation, 3 , 29–36. plist : Parser for binary and text plist files.
Maurer, M. (2016). Evidence fetcher (efetch). https://github.com pls_recall : Parser for PL/SQL Recall files.
popularity_contest : Parser for popularity contest log files.
/maurermj08/efetch. prefetch : Parser for Windows Prefetch files.
McQuaid, J. (2014). Forensic analysis of prefetch files in win- recycle_bin : Parser for Windows $Recycle.Bin $I files.
dows. https://www.magnetforensics.com/computer-forensics recycle_bin_info2 : Parser for Windows Recycler INFO2 files.
/forensic-analysis-of-prefetch-files-in-windows/. rplog : Parser for Windows Restore Point (rp.log)
Metz, J. (2015). Using psort. https://github.com/log2timeline/ files.
sccm : Parser for SCCM logs files.
plaso/wiki/Using-psort. selinux : Parser for SELinux audit.log files.
Metz, J. (2017). Log2timeline/plaso. https://github.com/log2tim skydrive_log : Parser for OneDrive (or SkyDrive) log
eline/plaso/wiki. files.
Olsson, J., & Boldt, M. (2009). Computer forensic timeline visual- skydrive_log_old : Parser for OneDrive (or SkyDrive) old log
ization tool. digital investigation, 6 , S78–S87. files.
sophos_av : Parser for Anti-Virus log (SAV.txt) files.
Quick, D., & Choo, K.-K. R. (2014). Impacts of increasing volume
sqlite : Parser for SQLite database files.
of digital forensic data: A survey and future research challenges. symantec_scanlog : Parser for Symantec Anti-Virus log files.
Digital Investigation, 11 , 273–294. syslog : Syslog Parser
SANS Institutes (2011). Log2timeline cheatsheet. https://digita usnjrnl : Parser for NTFS USN change journal
l-forensics.sans.org/media/log2timeline_cheatsheet.pdf. ($UsnJrnl).
Walter, J. (2016). Kibana and SANS Evidence of ... . http://www. utmp : Parser for Linux/Unix UTMP files.
utmpx : Parser for UTMPX files.
carpeindicium.com/blog/kibana-sans-evidence-of/. winevt : Parser for Windows EventLog (EVT) files.
Weber, R. (2017). How to use log2timeline! https://medium.com/d winevtx : Parser for Windows XML EventLog (EVTX) files.
fclub/how-to-use-log2timeline-54377e24872a. winfirewall : Parser for Windows Firewall Log files.
Wiedeman, G. (2016). Practical digital forensics at accession for winiis : Parser for Microsoft IIS log files.
born-digital institutional records. Code4Lib Journal, 31 . winjob : Parser for Windows Scheduled Task job
(or At-job) files.
winreg : Parser for Windows NT Registry (REGF) files.
xchatlog : Parser for XChat log files.
xchatscrollback : Parser for XChat scrollback log files.
zsh_extended_history : Parser for ZSH extended history files
-------------------------------------------------------------------

11
Appendix B. Log2Timline output modules

As mentioned in Sec. 2.2, the framework comes with a

tool psort.py that allows filtering, sorting and converting
the plaso storage file in one of the following output formats
which is slightlty different to the list releases on github
Metz (2015):
$ psort.py -o list

************************* Output Modules **************************

Name : Description
-------------------------------------------------------------------
l2tcsv : CSV format used by legacy log2timeline, with 17
fixed fields.
xlsx : Excel Spreadsheet (XLSX) output
l2ttln : Extended TLN 7 field | delimited output.
4n6time_sqlite : Saves the data in a SQLite database, used by the
tool 4n6time.
4n6time_mysql : MySQL database output for the 4n6time tool.
kml : Saves events with geography data into a KML format.
dynamic : Dynamic selection of fields for a separated value
output format.
rawpy : "raw" (or native) Python output.
json : Saves the events into a JSON format.
null : Output module that does not output anything.
timesketch : Create a Timesketch timeline.
tln : TLN 5 field | delimited output.
json_line : Saves the events into a JSON line format.
elastic : Saves the events into an Elasticsearch database.
-------------------------------------------------------------------

12