Security Ripcord

System Combo Timeline has been updated.  If you use syscombotln you will want to get this new version as there is an important bug fix.  I have also updated regtln.pl and evtparse.pl to handle double-byte and non-printable characters better.  This helps when analyzing log and registry files from Windows systems with various language packages.  Of course I do so my just stripping out the unwanted characters from the data entries.  You do not loose this information as you always have the original files.  But if you want/need to review the original entries you will need to review the original files.  These two tools are also available individually on the Scripts and Tools page.

PrefetchFolderAnalysis2.EnScript is a new addition to the Scripts and Tools page.  This EnScript was originally developed by Kelcey Tietjen.  I have updated it so that it outputs in TLN format and writes a file to the Export directory configured in EnCase.  It uses the last run time to place the entry in the timeline at the last time the file was executed.  If you integrate the results of this EnScript with the system’s File Directory listing you will have this included with MAC times.  Special attention, however, should be paid to the data entry.  The data will contain the original path of the executed command and the number of times that it was executed.  Extremely helpful during analysis.

If you would like to integrate the output from PrefetchFolderAnalysis2.EnScript into your timelines generated from syscombotln just place the resulting file into the “output” directory with any other TLN formated files you have created.  Running the syscombotln script will concatenate them all together.

Go forth and do good things,

Don C. Weber

This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 3.0 Unported.

You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.