Create an account Home  ·  Topics  ·  Downloads  ·  Your Account  ·  Submit News  ·  Top 10  
Modules
· Home
· Content
· FAQ
· Forensic Downloads
· Forensics Feedback
· Forums
· Members List
· Statistics
· Surveys
· Top 10
· Topics
· Training Reviews
· Web Links
· Your Account

Our Membership

Latest: Adliah
New Today: 0
New Yesterday: 0
Overall: 29360

Computer Forensics
This is a free and open peer to peer medium for digital and computer forensics professionals and students. Please help us maintain it by contributing and perhaps linking to us from your own website.

Recent Posts

 Swtor2credits Surper sale II for Thanksgiving:up to 10% off
 Senior Cyber Forensic Incident Response Consultant -Cambs UK
 A question for students and newbies
 E-DISCOVERY & DATA RECOVERY? WHICH ONE IS BETTER?
 Computer Forensic in e-commerce

Computer Forensics World Forums


Pages Served
We received
51302066
page views since August 2004

Security Sources

FTC
OnGuard Online
ISO 17799 ISO 27001
ISO 27000 Toolkit
ISO 27001 & 27000
Cryptography
Security Policies

Computer Forensics World: Forums

Computer Forensics World :: View topic - Log2timeline (Sift Workstation V3) - how to ...
 Forum FAQForum FAQ   SearchSearch   UsergroupsUsergroups   ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 

Log2timeline (Sift Workstation V3) - how to ...

 
Post new topic   Reply to topic    Computer Forensics World Forum Index -> Forensic Software and Tools
View previous topic :: View next topic  
Author Message
DW2054
Newbie
Newbie


Joined: Jul 31, 2012
Posts: 3

PostPosted: Tue Sep 08, 2015 4:57 am    Post subject: Log2timeline (Sift Workstation V3) - how to ... Reply with quote

Log2timeline (Sift Workstation V3) - how to get it to read a E01 file? In the prior .py version it was straightforward (or so it seems comparatively), command plaso source. In the new executable I am struggling.

What I want to do is read a server E01 file: filter on winsrv, output as csv, PST timezone, write a log, and hash the file. Where does the E01 source go? In this example lets call it FILE_Source.E01

log2timeline -f winsrv -w example_output_winsrv.csv -z PST8PDT -log example_output_WINSRV.LOG -c

Thank you.
Back to top
View user's profile
PreferredUser
Newbie
Newbie


Joined: Jan 01, 2007
Posts: 1130
Location: USA

PostPosted: Tue Sep 08, 2015 10:44 am    Post subject: Reply with quote

Are you mounting the EWF?
Back to top
View user's profile
DW2054
Newbie
Newbie


Joined: Jul 31, 2012
Posts: 3

PostPosted: Tue Sep 08, 2015 10:56 am    Post subject: Great question Reply with quote

Yes and no.

If I need to, I can.

I have the external USB drive mounted with the E0's.

/media/sanforensics/external_DRV/
In that directory there are 9 files:
example.e01 - example.e09

Executed from the /media/ path above with the e0's.
log2timeline -r -p -z PST8PDT -f winsrv example.e01

Doesn't work, I am sure obviously.

Thoughts, help, etc. Greatly appreciated.

Does this log2timeline auto-write to the path its in? Or where is the output going?

Thank you.
Back to top
View user's profile
PreferredUser
Newbie
Newbie


Joined: Jan 01, 2007
Posts: 1130
Location: USA

PostPosted: Tue Sep 08, 2015 11:50 am    Post subject: Reply with quote

I would recommend mounting the EWF with libewf and then run log2timeline against the mounted image.

Maybe try the following:
log2timeline.py -w -z PST8PDT -f winsrv -c example_output_winsrv.csv /media/sanforensics/external_DRV/example.e01 -log example_output_WINSRV.LOG
Back to top
View user's profile
Display posts from previous:   
Post new topic   Reply to topic    Computer Forensics World Forum Index -> Forensic Software and Tools All times are GMT + 10 Hours
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum

Powered by phpBB 2.0.10 © 2001 phpBB Group
phpBB port v2.1 based on Tom Nitzschner's phpbb2.0.6 upgraded to phpBB 2.0.4 standalone was developed and tested by:
ArtificialIntel, ChatServ, mikem,
sixonetonoffun and Paul Laudanski (aka Zhen-Xjell).

Version 2.1 by Nuke Cops 2003 http://www.nukecops.com

Forums ©

 

TMs property of their respective owner. Comments property of posters. 2007 Computer Forensics Science World.
Digital forensic computing news syndication: Computer Forensics Training News or UM Text
Software is copyrighted phpnuke.org (c)2003, and is free under licence agreement. All Rights Are Reserved.