SEARCH
NEW RPMS
DIRECTORIES
ABOUT
FAQ
VARIOUS
BLOG

 
 
Changelog for log2timeline-0.65-1.fc23.x86_64.rpm :

* Wed Sep 12 2012 Lawrence Rogers 0.65-1
* Release 0.65-1 - [UTMP input] New input module parsing utmp/wtmp files in Linux, written by Francesco Picasso. - [SELINUX input] New input module parsing SELinux audit files in Linux, written by Francesco Picasso. - [l2t_process] Renamed to l2t_process_old, being replaced by l2t_process.py from l2t-tools. - [EVTX Library] Fixed a small bug in the code, causing some EVTX file parsing to fail. - [Altiris input] Fixed a small bug when the date is malformed. - [Log2Timeline library] Fixed few bugs: - Small error in the format sort, caused oxml to sometimes be skipped in processing. - [GENERIC_LINUX input] Added a small extra eval sentence. - [LS_QUARANTINE] Fixed a minor bug in the get_time routine, if a database occurs it is caught by an eval sentence. - [TEST] Added few more tests. - [MOST INPUT MODULES] Changed the line: my $line = <$fh> or return undef; in most input modules. - [WIN library] Added few more transformations of Windows stored time zones into a \"olson\" ones understood by DateTime. - [CHROME input] Fixed a small unicode bug in the \"File Downloaded\" section. - [faersluskra2timalina] Added a new frontend to the tool, exact copy of log2timeline, except all parameters in Icelandic... kinda - [timescanner tool] Removed this frontend from the Makefile since it serves no purpose (as in no longer part of the automatic installation).
* Mon Jun 11 2012 Lawrence Rogers 0.64-1
* Release 0.64-1 - [TESTSUITE] Added the first version of a test suite to the tool. - All tests are located inside the t/ directory. - Tests should be constructed for ALL possible uses of the tool, not limited to: - Raw parsing of logs using input modules. - Correct output for output modules. - Correct output from each function inside modules/libraries. - The first TEST suite is raw and not nearly complete, needs loads of stuff to be \'proper\' but it is a start. - [LS_QUARANTINE input] A new input module that parses the LSQuarantineEvents SQLite db in Mac OS X. - [Log2Timeline library] Added the possibility to use a dot (.) in the exclusion list. - Changed the exclusion list so it can be easily changed - Added a call to ->end on each input module if verification failed. - Minor bug fixes in the main engine. - Changed wording when an output module is loaded (from \"Loading output file\" to \"Loading output module\"). - Added support to detect shortcuts in Windows systems. - Added the \"path_orig\" to all input modules (making it possible to \"fix\" paths). - [CHROME input] - Slight changes to the output based on the value of the typed_count variable, also updated the path to the code that describes the transition types. - [SKYPE input] Fixed the verification routine a bit, cleaned it up slightly and fixed a small bug that caused the tool not to include SKYPE data when recursive mode was set on. - Also fixed UTF-8 support, should properly display UTF-8 by now. - [PREFETCH input] Small changes to the verification module. - [WinReg] Fixed a small bug in the code that caused the deleted entries lookup sometimes to loop forever. - [SQLITE output] Changed the way the SQLite code is written considerably, pre-compiling statements to prevent them being compiled for each insert, using transactions instead of writing them constantly to the DB, and other minor tweaks to make the DB output faster than before (since it was increadibly slow before). - [CHROME input] Small bug to fix UTF-8 support. - [FIREFOX3 input] Small bug to fix UTF-8 support. - [PREFETCH input] Fixed a bug, added a seekdir so that prefetch information is contained within the timeline if recursive is turned on. - [RECYCLER input] Fixed a bug, added a seekdir so that recycler information is contained within the timeline if recursive is turned on. - [LIST files] Added few items into the Windows list files, as well as to create a Mac OS X one. - [MFT input] Fixed a bug with Unicode support. - [RECYCLER input] Fixed a small bug (issue 5) with the path not showing the correct path as indicated by -m TEXT - [SOL input] Fixed a small bug (issue 5) with the path not showing the correct path as indicated by -m TEXT - [EVTX input] Changed the dependencies to Parse::Evtx2 instead of Parse::Evtx (same library, changed the namespace). - Issue when Parse::Evtx was installed on SIFT, causing the tool to first load the library from Schuster, and not the slightly changed one distributed by the tool, causing the module to not work.
* Mon Apr 09 2012 Lawrence Rogers 0.63-1
* Release 0.63-1 Version 0.63 (09/04/2012) - ALL modules/files were run through perltidy using the configuration file of dev/perltidy.conf. - Also several modules have had their documentation updated and code reformed to reflect recent release of a style guide for the project. perltidy is not enough to enforce that, but at least a start. Rewriting the documentation (pod) is also a vital portion of making the modules easier to use/understand/develop. - All libraries within the tool and the main API have been rewritten with this in mind, making \'man\' documentation considerably more useful than it was. - [SERIALIZE output] JSON::XS used to serialize the timestamp output, a very simple output module that simply stores - This makes it possible to output using this method and then sorting is simpler since it does not require the module to read in the csv and change it into something like a hash, since it is already stored as such. - This might become the default output of the tool, and then run l2t_process on that output, turning that into CSV instead of using CSV as default and trying to filter that output. - This also makes it easier to filter, based on certain attributes, instead of at the line level. the timestamp object without really doing anything to it. Use that for easy sorting in later stages. - [WIN7 list] Fixed a small bug in Win7 list file (and win7_noreg). The evt module was loaded up and not the evtx one. - [FIREFOX3 input] Added a check to see if the SQlite database contains a -wal or -shm (in addition to -journal) And if it does, then do the same procedure as if it was a -journal (read-only database that gets copied to a temp location) This was pointed to me by Svante - [PREFETCH input] Changed the default output so that loaded DLLs are not included by default, unless the -d|--detail option/parameter is used. - [MFT input] Inside the verification routine a check is made to see if the magic value is FILE0, it should only be FILE. Fixed that, making the mft module capable of parsing those $MFT files that do not the standard offset to the fixup array. - [SAM input] Changed the handling of SAM database data, it did not properly parse the SAM database file in certain cases due to the keys being prefilled with the CMI-CREATE.... - [NTUSER input] Changed a value check in UserAssist key parsing causing UserAssist keys not properly being parsed. - [WIN_LINK input] The values for mtime and atime got swapped (the correct order is CAM not CMA like it was) - [SETUPAPI input] Added a \'detailed_time\' check, to reduce the text inside the alert by default, unless detail option used. - [log2timeline] Updated the man page to reflect updates to the \'detailed_time\' changes to setupapi input module. - [WIN library] Added a mapping to map up all Windows use of timezones to the one used in the DateTime library. - [win_sysinfo PreProc] Updated the pre-processing library so that it checks if a known transform of a Windows named timezone information is available and if it is it will compare it to the chosen timezone (and change it if they differ). - [LOG2TIMELINE] Small bug in the log2timeline library, causing input modules list that has more than one - sign in it not properly verified. - [IEHISTORY input] Switched time1 and time2, and started to update the module so it adheres to the newly released, not yet complete, style guide. - [EVTX input] Updated the EVTX library to the latest release, version 1.1.1 (written by Andreas Schuster) - Also changed the 50 attempts to 15 (in case of an error in reading an entry), also only output error message if debug is turned on.
* Wed Nov 23 2011 Lawrence Rogers 0.62-1
* Release 0.62-1 Version 0.62 (23/11/2011) - [FF_CACHE input] New input module, designed to parse the cache files of Firefox. Contributed by John Ritchie - [OPENVPN input] New input module, desigend to parse the OpenVPN log files. - [L2T_PROCESS] Added a few more allowed characters in the keyword list - [proftpd_xferlog input] Willi Ballenthin added a new module to parse the ProFTPD XFerlog file - [Log2Timeline library] Fixed a bug, when the \'all\' moduiles option is used (or -f is omitted) no modules get loaded -Added a small change to try to parse the MFT directly even though the $MFT might not be directly visible -Fixed a small bug whereas the tool would crash if the local timezone was used. -Fixed a small bug whereas the tool is not able to find the default directory (. does not exist) or if the file in question does not really exist that the tool is pointing to... that made the tool return a double error instead of just dying on the first one. -The tool will now accept a separate output timezone so the tool can output in a different timezone than the hosts one. - [log2timeline] Added the -Z ZONE parameter so the tool can output in a different timezone than the host timezone. - [CSV output] Changed the output timezone so it now prints using the -Z definition, so it now supports different output timezone than the host one. - [EVTX input] Fixed a bug in where the tool could go into a endless loop in the case where you have a EVTX that is somehow broken and the function get_next_event dies. If the tool runs into such occurance it returned an empty timestamp object, that in turn let the tool query for it again, thus possibly getting into an endless loop. Added a counter so the tool tries to get the next event 50 times, otherwise it will die. - [log2timeline-sift] Moved the mount command out of the script and into the configuration file - Changed the mount command, since there were few errors with the previous one - Added an addional check to see if the $MFT file can be directly called (and if so, skip the icat call)
* Mon Sep 26 2011 Lawrence Rogers 0.61-1
* Release 0.61-1 Version 0.61 - [log2timeline] Small changes to the version printing (now prints just the last portion of the path) - Now the engine checks if the format field is set and omits it if its set (to facilitate input modules like CSV that define it) - Changed the list modules, added the SAM database readout in the winxp and win7 list files. - Created the winsrv list file - Added the MFT module to all windows list files (just in case they use a driver that displays the $MFT file) - Fixed an issue with the tool not accepting the described format of the offset variable (should be +- int with the appended hms (optional)) - Added a try/catch around get_time, http://bugs.log2timeline.net/show_bug.cgi?id=2 - [L2T_CSV input] Added an input module that reads the CSV format of log2timeline (done to make it easier to convert CSV files into another format) - [extra/bash_completion] Added a bash_completion script, stored inside the extra/bash_completion.d directory (need to copy it manually in the first go) - Can make it easier to complete the paramaters to the tool in
*NIX - [l2t_process] Fixed some timezone settings, or more created some temporary solutions to bug http://bugs.log2timeline.net/show_bug.cgi?id=4 - [SQLITE output] Changed the schema considerably, along other smaller changes to the SQLite output - [TIME library] Fixed a bug in ftk2date (http://bugs.log2timeline.net/show_bug.cgi?id=7) - timestamps without ms values are not properly parsed - [PREFETCH input] Slightly modified the debug information in the verification step - [MCAFEE input] Slight changes in output from the verification routine. - Added newline skipping in verification subroutine (code donated anonymously) - [ALTIRIS input] New input module to parse the AeXAMInventory and AeXProcessList files from Altiris (donated anonymously) - [MCAFEEFIREHUP input] New input module to parse the McAfee FireEpo, FireSvc, FireTray, UpdateLog files (donated anonymously) - [MCAFEEHEEL input] New input module to parse the McAfee HIPS event.log (donated anonymously) - [SYMANTEC input] New input module to parse Symantec log files (donated anonymously) - [MCAFEEHS input] New input module to parse the McAfee HIPShield Log File (donated anonymously) - [ANALOG_CACHE input] New input module to parse the cache log produced by Analog (log parser), user contributed, written by Willi Ballenthin. - [FTK_DIRLISTING input] Bug fixed in the ftk_dirlist module, the actual file name was repeated in the output... http://bugs.log2timeline.net/show_bug.cgi?id=6 - [SAFARI input] John Ritchie mad a small bug fix to the module, changing how the timestamp object got defined - [IE_HISTORY input] Fixed a bug in the module. time1 and time2 somehow got mixed up, reversed the order so that time1 is properly defined as the modification time, instead of being marked as the access time (and vice versa) - thanks to Jamison Bosco for notifying me - Small fix, updated the module so that if both time1 and time2 are the same, to join them in a single time
* Thu Aug 18 2011 Lawrence Rogers 0.60-2
* Release 0.60-2 Removed perl-Parse-Evtx and added it as a dependency
* Mon Jun 06 2011 Kristinn Gudjonsson 0.60-1
* Release 0.60-1 - [Log2Timeline library] Created a new library that contains the main engine in log2timeline. All the funcionality of the tool is moved to this library, making the front-ends mostly there to process parameters sent to the tool. Some core changes made to how the engine is handled, making it necessary to update all the input modules. The output module all had a constructor, however it was not used that much, so some changes were made to all output modules as well, to transfer some variables needed by some of the output modules. - Small changes to the time zone settings. Instead of using the short name for the timezone, the long name is used throughout the tool - [log2timeline] Changed the front-end to be able to use the new engine. Removed most of the functionality out of the tool into the new structure. With the changes to the engine more options have been added to log2timeline, including the possibility of guessing the format of a file (no need to specifically telling the front-end which module to use to parse the file, although it is possible). Also possible to do recursive searches, making timescanner really unneeded. - [timescanner] Changed the front-end to be able to use the new engine. It is basically the same tool now as log2timeline, however it will continue to use the same parameters as the older version of timescanner and default to recursive behaviour instead of a single file parsing as log2timeline does. - [l2t_process] Changed the tool so that it removes duplicate entries from the timeline. Also print out few statistics in the end. - It checks for suspicious entries indicating timestomping that fall outside the date range (that is entries that have only second precision in the MFT module) - Now accepts a file containing keywords, to compare against. The keyword file should contain a single keyword per line. The keywords are then compared against every line that passes the date filter. Only lines that have a match against those keywords is printed out. - changed parameters slightly, to match with those of the main tool (log2timeline) - Added a simple scatter plot creation. Only applicaple if you are parsing the MFT. The scatter plot takes all files that are stored inside the windows/system32 directory and plots the MFT numbers on X-axis and creation time (both $SI and $FN) on the Y-axis, to quickly spot outliers in the data set that might be indication of a malware. - When the scatter plot is drawn a simple process is run to detect outliers in the dataset and print those - [skype_sql INPUT] Added a new input module that parses the main.db, the SQLite database that belongs to Skype. Basic module that parses only basic entries from the db, later versions will parse the database in more details. - [PreProcessing] Added a pre-processing library. Now it is possible to extract information gathered from the drive before the tool starts. - [win_sysinfo PreProc] New module in the pre-processing library. A simple library that extracts the hostname of the machine and prints the timezone information before - [user_browser PreProc] New module in the pre-processing library. A simple library that goes through each user profile searching for the default browser of that particular user. The information is both printed on screen and then used in the browser input modules (to indicate whether or not this is the default browser of that particular user) - [MFT input] New input module that parses the $MFT file (NTFS filesystem), ported from the tool analyzeMFT written by David Kovar - [NTUSER input] Removed the userassist input module and replaced it with a NTUSER one (better name anyway). - The module now contains a recursive scanner, where it begins checking if it can parse the key (has a special parsing capability for a partiular key, and if not, it will print the key\'s name and LastWritten time (a la regtime). - The module will then end by getting deleted entries (method gathered from deleted.pl, written by Jolanta Thomassen and distributed on the SIFT. - [SOFTWARE input] New input module to extract timestamps from the SOFTWARE registry hive. - [JP_NTFS_CHANGE] New input module that takes the output from the tool jp (NTFS Change Log), which is a CSV file - [SYSTEM input] New input module to extract timestamps from the SYSTEM registry hive. - [SECURE input] New input module to extract timestamps from the SECURITY registry hive. - [SAM input] New input module to extract timestamps from the SAM registry hive, along with basic SAM parsing - [bug reporting] Added a bug tracking system for the tool, available at bugs.log2timeline.net - [xp_firewall INPUT] Fixed a minor bug in the tool where the seconds got omitted (loosing precision on the date) - [CFTL output] Changed the output slightly, adding file name to the output for instance - [SIMILE output] Changed the output slightly, adding file name to the output for instance - [IIS input] The second parameter was not parsed properly, making the module only accurate to the minute, fixed that. - [USERASSIST input] Added one more check in the verify function. There were reports of files that contain the magic value for a registry file, yet the reglibrary was unable to retrieve the root key, making the tool crash - [TIME library] Fixed the output of the get_cur_time called by the recursive scanner to print the current time. The problem was representation of the time, could be 23:1:42... not it is fixed so that it is 23:01:42 - [EVTX input] Made small changes to include a URL pointing to further information about the event, and events in general for Win 2008. - Also fixed a small bug where the tool was unable to retrieve text content from an attribute - Also added a small translation from AccessList codes to \"human readable\" form, for file auditing - [CSV/TAB output] Changed both modules to use the short time zone name instead of the long one in the output. - Removed tab characters from description/title to prevent text to spread over tabs in Excel - [MACTIME output] Fixed a small issue when the source type is file - [EVT input] Fixed the EVT module, it produced two timestamps per entry, even though both timestamps were the same, now it checks and only includes one if they are the same - [TLN/TLNX output] Fixed a small issue when the source type is file - [SQLITE output] Fixed a small issue when the source type is file - [extra FOLDER] Created a small folder called extra that contains some extra scripts, such as a script to remove the log2timeline from the system - [glog2timeline] Removed the glog2timeline GUI, at least for the time being. It has to be ported to the new engine, and until then it is removed.
  
ICM