So now you have probably heard about Super Timeline from Rob Lee's SAN page - http://blogs.sans.org/computer-forensics/2010/03/19/digital-forensic-sifting-super-timeline-analysis-and-creation/.
Good stuff, I don't know if you had tried log2time, but my first thought was wow, it would be great if it could go and find all of the artifact log files. Well, they did that too - TimeScanner was added to search the drive and send the output to log2time, sweet! Combined in the future is what I have read.
Rob Lee combined this with Carvey's registry time perl script, fls from the Sleuth Kit, and jacks it all together with old school mactime.pl, also from the SleuthKit. Rob makes putting this easier by having these components in the SIFT Workstation (info found in the Super Timeline page).
Ok, intro done... I have run some tests against older cases and loved the results*. It USED to be a lot of work to get log source 1 and log source 2, consolidate them, and review. Then make a determination if log source 3 was needed. This makes it much quicker and moves it up the SP index (SPI) appropriately, since the SPI is a combination of factors, including estimated time and estimated effectiveness in meeting the case goals. SPI is an artifact from the digital forensic methodology I have been teaching my staffs and formalizing into a presentation for Defcon 18 and Black Hat 2010
*For legal purposes - I didn't find any data that changed any of my conclusions, but enhanced the conclusions that I or my teams generated.
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment