Log2timeline (Sift Workstation V3) - how to ...


DW2054

New Member
Jul 30, 2012
9
0
#1
Log2timeline (Sift Workstation V3) - how to get it to read a E01 file? In the prior .py version it was straightforward (or so it seems comparatively), command plaso source. In the new executable I am struggling.

What I want to do is read a server E01 file: filter on winsrv, output as csv, PST timezone, write a log, and hash the file. Where does the E01 source go? In this example lets call it FILE_Source.E01

log2timeline -f winsrv -w example_output_winsrv.csv -z PST8PDT -log example_output_WINSRV.LOG -c

Thank you.
 

DW2054

New Member
Jul 30, 2012
9
0
#3
Great question

<t>Yes and no.<br/>
<br/>
If I need to, I can.<br/>
<br/>
I have the external USB drive mounted with the E0's.<br/>
<br/>
/media/sanforensics/external_DRV/<br/>
In that directory there are 9 files:<br/>
example.e01 - example.e09<br/>
<br/>
Executed from the /media/ path above with the e0's.<br/>
log2timeline -r -p -z PST8PDT -f winsrv example.e01<br/>
<br/>
Doesn't work, I am sure obviously. <br/>
<br/>
Thoughts, help, etc. Greatly appreciated.<br/>
<br/>
Does this log2timeline auto-write to the path its in? Or where is the output going?<br/>
<br/>
Thank you.</t>
 
Dec 31, 2006
3,405
0
#4
I would recommend mounting the EWF with libewf and then run log2timeline against the mounted image.

Maybe try the following:
log2timeline.py -w -z PST8PDT -f winsrv -c example_output_winsrv.csv /media/sanforensics/external_DRV/example.e01 -log example_output_WINSRV.LOG
 

About us

  • Our community began in 2004. Since this time, we have grown to have over 29,000+ members within the DFIR & Cyber Security community.

    We are happy to announce that this forum is now under new ownership with the goal to once again become the main Digital Forensics Forum on the internet for DFIR, OSINT and Cyber Security.

    If you can think of ways to help us improve, please let us know.

    We pride ourselves on offering unbiased, critical discussion among people of all different backgrounds.

    We are working every day to make sure our community is one of the best.

Quick Navigation

User Menu