I know sometimes getting things to work in Ubuntu is like trying to tell Fenton to stop chasing deer in Richmond Park. You keep trying and trying only to see it slowly slip from your grasp, all while amusing friends and random people you will never meet (just click the link, trust me you will giggle).
Fear not for Kristinn has created a very lovely installation guide for us all.
So me just saying to sudo apt-get install the log2timeline package was a bit weak sauce of me. You have to ADD the website containing the code to your source list and well as add Kristinn's GPG Key (think PGP but not really). You can figure out what version of linux you are using by running
Do a bit of apt-get update... THEN run the apt-get install and VOILA, dependencies and log2timeline installed! If you are feeling super nerdy and want to compile yourself, feel free, but there are a decent number of dependencies. I always feel its better to do less work, especially on a Saturday morning :)
Well so maybe I lied again... you also need sleuthkit installed on your machine. Luckily this can be done via
$sudo apt-get install sleuthkit
I also suggest looking at the sift.conf file which is located in /etc/log2timeline.
|default sift.conf file.. I had to modify the location of the TSK binaries|
Log2timeline makes guesses on where additional dependencies are (I assume based on SiFT workstations),so you may need to point the log2timeline to the path the program are on your machine. This is done with good ol find:
My mmls command is located at '/usr/bin/mmls' so I modified the sift.config accordingly. You can also change your mount point as well as where output will be saved to-- make sure you are root when you open the file for editing! P.S. If you keep the default options you will have to make these directories, remember this is geared for SiFT.....
Finding mmls on your system
Its always good to look at config files so you have a better idea of how the program works, dependencies, and additional variables you can utilize (says the girl who use apt... I know I know)
So executing log2timeline-sift with no parameter gives you the help options. For a more detailed help page go to the man page.
Now when you give it an -i switch (if you omit the timezone it will grab the timezone from the registry) it starts mmls so you can choose the partition you want to run the tool against.
|choose the number... in this case 2|
Based on this input it will mount the dd for you. Then away it goes.... now is the time to click on the Fenton video or grab some coffee, this may take a while :)
|Go baby go!|
So about an 1.5 hours later the tool has finished and now I have a pretty hefty (~250mb) file. Now you can open this bad boy up in your spreadsheet program or simply use some grep action to search for the presence of a file.
This is a hard drive image after I opened up a malicious PDF, the file began with RR_11105,so lets do a quick grep of the file to see where we see this file:
|To be fair I ran this PDF multiple times on the OS, hence it being seen a few times...this is a snippet of the output, the green number is the line the search term was seen on|
Once you know this, you can open up the file and go directly to the timeframe in question and see what other actions took place around that time. With this file encompassing so many different logs and artifacts on the hard drive, it is a pretty thorough timeline.
So, now one can ask, why do all of this setup when the SiFT workstation (which is free) has this all done for you? Sometimes you want this on your own Linux build, or you just don't have the time to download the 1.5 GB VM. My internet speeds at my house can be quite atrocious, and then is something very depressing about waking up to some errors and the failed download. Or maybe you just want to peek a little bit under the hood and see what is underneath the hood.... nothing wrong with that.
Don't be disheartened when a binary does not work right off the bat-- check the error, google the error, check the known bugs page, and see what others have to say about it. Chances are someone has had the same issue and already discovered the solution. Keep at it!