How To Use Log2timeline!

Walk through for Windows.

log2timeline — extract timestamps from various files found on a typical computer system(s) and aggregate them.
Link: github.com/log2timeline/plaso/wiki

START:

PART #1 — Set Up

1. Download log2timeline
Link: github.com/log2timeline/plaso/releases

Click the latest version .zip for windows “64”.
Save the file.

2. Extract the zip file.

Right-click the zip file, “Extract All…”

3. Open the extracted folder.

4. Hold SHIFT and Right-Click the “plaso” folder. Click “Open command window here

You should get this Command Prompt.


PART #2 — Command Line

5. Do a “dir”
Make sure you have the “log2timeline.exe” and “psort.exe”.

6. Run log2timeline

execute the command:

log2timeline.exe "C:\OUTPUT_1.plaso" "C:\INPUT_PATH\IMAGE.E01"
C:\OUTPUT_1.plaso is the Out-Put file.
C:\INPUT_PATH\IMAGE.E01 is the image.
This command will create a “.plasp” file that holds metadata about the image.

Click HERE to see all compatible image formats.

For help execute log2timeline.exe --info.

7. Run psort.exe

execute the command:

psort.exe -z US/Pacific -o l2tcsv -w "C:\FINAL_TIMELINE_OUTPUT.csv" "C:\INPUT_PATH\OUTPUT_1.plaso"
-o l2tcsv “-o” specifies the format of the output file (L2TCSV).
-z US/Pacific “-z” specifies the timezone that you want (US/Pacific).
C:\FINAL_TIMELINE_OUTPUT.csv is the time line CSV output.
C:\INPUT_PATH\OUTPUT_1.plaso is the input plaso file.
The “.plaso” is the same file that was generated from the command in Step 6.

For help execute psoft.exe --info.

8. Open the CSV (OUTPUT_1.plaso) in Excel.

./END


OPENING AND UNDERSTANDING THE CSV

The exported CSV file can be huge with a lot of data.
It helps a LOT to have it colorized.

./START

PART #1 — TIMELINE_COLOR_TEMPLATE

1. Download the Excel file template:

https://github.com/riodw/Log2timeline-TIMELINE_COLOR_TEMPLATE/raw/master/TIMELINE_COLOR_TEMPLATE.xlsx

2. Open the file.
There should be 2 Sheets.

The “LEGEND” sheet should look like this:

3. In the “Color Timeline” sheet, Click the “Data” tab.

4. Click “From Text”.

5. Open the exported CSV file.
Click “Import”.

6. Navigate the Wizard.

Make “Delimited” the active radio-button.

Click “Next >”

Checkmark “Comma”.

Click Finish, then hit Enter.

./DONE

Like what you read? Give Rio Weber a round of applause.

From a quick cheer to a standing ovation, clap to show how much you enjoyed this story.