Its not often that I get to post about some of the things I learn of on the job, but this is a pretty exciting one. For a while I have wanted a simplified method for sorting events that happen on computers (e.g., file timestamps, changes to the Windows Registry, event logs, browser use and sites visited) and firewall logs or IDS logs.
Well there is a great tool out the for doing this sort of work called log2timeline but up till now I had problems getting some of the requisite Perl-language modules installed so I have not had the chance to troubleshoot it or spend any time on it. But today one of my coworkers notified me there was a great 'howto' document on the web (here is the link to the site.) It looks pretty well explained and resolves the problems preventing my associate or mine issues we had in the past with installing and compiling it. In fact Chris was excited that he got it working working and we traded some usage ideas. So thanks go to Chris for finding that aid and I owe him a solid in return.
I am thinking I can use the logtotimeline in a small side-project where I can take some of the events in a malware analysis class I took last year taught at SANS. The plan is to capture the attempted call-outs using tcpdump and file timestamps on the 'victim' system and put both of these disparate sources together in a sorted-by-date/time listing. I will let you know how it goes.
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment