by Lawrence Rogers (2012-09-12):
* Release 0.65-1
- [UTMP input] New input module parsing utmp/wtmp files in Linux, written by Francesco Picasso.
- [SELINUX input] New input module parsing SELinux audit files in Linux, written by Francesco Picasso.
- [l2t_process] Renamed to l2t_process_old, being replaced by l2t_process.py from l2t-tools.
- [EVTX Library] Fixed a small bug in the code, causing some EVTX file parsing to fail.
- [Altiris input] Fixed a small bug when the date is malformed.
- [Log2Timeline library] Fixed few bugs:
- Small error in the format sort, caused oxml to sometimes be skipped in processing.
- [GENERIC_LINUX input] Added a small extra eval sentence.
- [LS_QUARANTINE] Fixed a minor bug in the get_time routine, if a database occurs it is caught by an eval sentence.
- [TEST] Added few more tests.
- [MOST INPUT MODULES] Changed the line:
my $line = <$fh> or return undef;
in most input modules.
- [WIN library] Added few more transformations of Windows stored time zones into a "olson" ones understood by DateTime.
- [CHROME input] Fixed a small unicode bug in the "File Downloaded" section.
- [faersluskra2timalina] Added a new frontend to the tool, exact copy of log2timeline, except all parameters in Icelandic... kinda
- [timescanner tool] Removed this frontend from the Makefile since it serves no purpose (as in no longer part of the automatic installation).
by Lawrence Rogers (2012-06-11):
* Release 0.64-1
- [TESTSUITE] Added the first version of a test suite to the tool.
- All tests are located inside the t/ directory.
- Tests should be constructed for ALL possible uses of the tool, not limited to:
- Raw parsing of logs using input modules.
- Correct output for output modules.
- Correct output from each function inside modules/libraries.
- The first TEST suite is raw and not nearly complete, needs loads of stuff to be 'proper' but it is a start.
- [LS_QUARANTINE input] A new input module that parses the LSQuarantineEvents SQLite db in Mac OS X.
- [Log2Timeline library] Added the possibility to use a dot (.) in the exclusion list.
- Changed the exclusion list so it can be easily changed
- Added a call to ->end on each input module if verification failed.
- Minor bug fixes in the main engine.
- Changed wording when an output module is loaded (from "Loading output file" to "Loading output module").
- Added support to detect shortcuts in Windows systems.
- Added the "path_orig" to all input modules (making it possible to "fix" paths).
- [CHROME input] - Slight changes to the output based on the value of the typed_count variable, also updated the path
to the code that describes the transition types.
- [SKYPE input] Fixed the verification routine a bit, cleaned it up slightly and fixed a small bug that caused the tool
not to include SKYPE data when recursive mode was set on.
- Also fixed UTF-8 support, should properly display UTF-8 by now.
- [PREFETCH input] Small changes to the verification module.
- [WinReg] Fixed a small bug in the code that caused the deleted entries lookup sometimes to loop forever.
- [SQLITE output] Changed the way the SQLite code is written considerably, pre-compiling statements to prevent them
being compiled for each insert, using transactions instead of writing them constantly to the DB, and other minor tweaks
to make the DB output faster than before (since it was increadibly slow before).
- [CHROME input] Small bug to fix UTF-8 support.
- [FIREFOX3 input] Small bug to fix UTF-8 support.
- [PREFETCH input] Fixed a bug, added a seekdir so that prefetch information is contained within the timeline if recursive
is turned on.
- [RECYCLER input] Fixed a bug, added a seekdir so that recycler information is contained within the timeline if recursive
is turned on.
- [LIST files] Added few items into the Windows list files, as well as to create a Mac OS X one.
- [MFT input] Fixed a bug with Unicode support.
- [RECYCLER input] Fixed a small bug (issue 5) with the path not showing the correct path as indicated by -m TEXT
- [SOL input] Fixed a small bug (issue 5) with the path not showing the correct path as indicated by -m TEXT
- [EVTX input] Changed the dependencies to Parse::Evtx2 instead of Parse::Evtx (same library, changed the namespace).
- Issue when Parse::Evtx was installed on SIFT, causing the tool to first load the library from Schuster, and not the
slightly changed one distributed by the tool, causing the module to not work.
by Lawrence Rogers (2012-04-09):
* Release 0.63-1
Version 0.63 (09/04/2012)
- ALL modules/files were run through perltidy using the configuration file of dev/perltidy.conf.
- Also several modules have had their documentation updated and code reformed to reflect recent release of a style guide
for the project. perltidy is not enough to enforce that, but at least a start. Rewriting the documentation (pod) is also a vital
portion of making the modules easier to use/understand/develop.
- All libraries within the tool and the main API have been rewritten with this in mind, making 'man' documentation considerably
more useful than it was.
- [SERIALIZE output] JSON::XS used to serialize the timestamp output, a very simple output module that simply stores
- This makes it possible to output using this method and then sorting is simpler since it does not require the module
to read in the csv and change it into something like a hash, since it is already stored as such.
- This might become the default output of the tool, and then run l2t_process on that output, turning that into CSV
instead of using CSV as default and trying to filter that output.
- This also makes it easier to filter, based on certain attributes, instead of at the line level.
the timestamp object without really doing anything to it. Use that for easy sorting in later stages.
- [WIN7 list] Fixed a small bug in Win7 list file (and win7_noreg). The evt module was loaded up and not the evtx one.
- [FIREFOX3 input] Added a check to see if the SQlite database contains a -wal or -shm (in addition to -journal)
And if it does, then do the same procedure as if it was a -journal (read-only database that gets copied to a temp location)
This was pointed to me by Svante
- [PREFETCH input] Changed the default output so that loaded DLLs are not included by default, unless the -d|--detail
option/parameter is used.
- [MFT input] Inside the verification routine a check is made to see if the magic value is FILE0, it should only be FILE.
Fixed that, making the mft module capable of parsing those $MFT files that do not the standard offset to the fixup array.
- [SAM input] Changed the handling of SAM database data, it did not properly parse the SAM database file in certain cases
due to the keys being prefilled with the CMI-CREATE....
- [NTUSER input] Changed a value check in UserAssist key parsing causing UserAssist keys not properly being parsed.
- [WIN_LINK input] The values for mtime and atime got swapped (the correct order is CAM not CMA like it was)
- [SETUPAPI input] Added a 'detailed_time' check, to reduce the text inside the alert by default, unless detail option used.
- [log2timeline] Updated the man page to reflect updates to the 'detailed_time' changes to setupapi input module.
- [WIN library] Added a mapping to map up all Windows use of timezones to the one used in the DateTime library.
- [win_sysinfo PreProc] Updated the pre-processing library so that it checks if a known transform of a Windows named
timezone information is available and if it is it will compare it to the chosen timezone (and change it if they differ).
- [LOG2TIMELINE] Small bug in the log2timeline library, causing input modules list that has more than one - sign in it
not properly verified.
- [IEHISTORY input] Switched time1 and time2, and started to update the module so it adheres to the newly released, not
yet complete, style guide.
- [EVTX input] Updated the EVTX library to the latest release, version 1.1.1 (written by Andreas Schuster)
- Also changed the 50 attempts to 15 (in case of an error in reading an entry), also only output error
message if debug is turned on.