I've posted the currently available timeline creation tools to the Files section of the Win4n6 Yahoo group, along with a PDF document that illustrates how to use the tools.
The tools themselves are somewhat raw at the moment. They're all Perl scripts (none have been compiled into standalone EXEs) and therefore require that ActiveState Perl be installed to use them (I used version 5.8 to develop the scripts). Some of the scripts require additional modules, but they're pretty easy to install using the Perl Package Manager (PPM) that ships as part of ActiveState Perl.
At the moment, the process for using the tools is manual...there's no single "Find all evidence" button to push...this isn't Nintendo forensics. However, there is a method to my madness...this provides the analyst with the flexibility to create mini-timelines, comprised of a subset of available sources, such as only the Event Logs. I've found this capability alone to be extremely valuable.
Finally, these tools are a start, and even through they're still raw at the moment, they open the door to an extremely valuable analysis technique. If this is something you're interested in, download the zipped archive, take a look at the PDF document (walks through using the tools to build an actual timeline from an image), and let me know what you think. Posting this isn't the end, it's just the beginning...
No comments:
Post a Comment