In addition to the plugins I have included a whitepaper on how these plugins were created and used. It is released more in hopes that people will see how to use the framework and be able to write their own plugins or extend existing ones.
I have included all these plugins in a zip file:
$ unzip -l timeliner_9-2011.zip
Archive: timeliner_9-2011.zip
Length Date Time Name
-------- ---- ---- ----
14455 09-28-11 14:40 volatility/plugins/timeliner.py
10789 09-27-11 09:24 volatility/plugins/evtlogs.py
147458 09-09-11 11:03 volatility/plugins/malware.py
13559 09-22-11 19:09 volatility/plugins/registryapi.py
8554 09-18-11 21:33 volatility/plugins/getsids.py
40993 09-22-11 16:29 volatility/plugins/getservicesids.py
-------- -------
235808 6 files
- evtlogs.py: plugin to parse Evt logs from XP/2K3
- registryapi.py: plugin for routine registry actions
- getservicesids.py: plugin to collect and calculate service SIDs (used with the new getsids and evtlogs
- timeliner.py: the timeline creating script that pulls everything together
MHL's malware malware plugins (malware.py) are included only for convenience. You can also download them from his repository and check there for updates.
I would like to thank MHL and AW for their valuable feedback and Bertha M for extensive testing of the timeliner plugins. The links to the paper and plugins are below:
Timeliner Release Documentation (PDF)
timeliner plugins (ZIP)
Note: Any updates to these plugins will appear in my github repository first.
5 comments:
Great job and thanks for sharing with the community
Nice work, I am not a programmer but I appreciate your hard work It should prove useful.
Thank you
Ben
I can't get the -S or -E functions to work (start and end times) using the YYYY-MM-DD format ... is this a bug?
@Anonymous #2:
If you are talking about this happening with the timeliner plugin, it was unintentional. I forgot to remove the options inherited from registryapi and actually didn't intend for one to be able to supply start/end times for timeliner itself. It is simple enough to add, however.
I am working on a newer version anyway, since I want to separate the registryapi functions to make it easier to inherit without having to worry about removing all of its options for the inheriting plugin. I will add the start/end capability to timeliner as well in a later release if it seems like a feature people would like.
hello,
i am receiving the following error when trying to use the timeliner plugin. have you seen this before, or do you have any suggestions? thx.
Traceback (most recent call last):
File "/usr/local/bin/vol.py", line 135, in
main()
File "/usr/local/bin/vol.py", line 126, in main
command.execute()
File "/usr/local/src/Volatility/volatility/commands.py", line 101, in execute
func(outfd, data)
File "/usr/local/src/Volatility/volatility/plugins/timeliner.py", line 86, in render_text
for line in data:
File "/usr/local/src/Volatility/volatility/plugins/timeliner.py", line 190, in calculate
space = self.find_space(addr_space, procs, mod_base)
AttributeError: 'TimeLiner' object has no attribute 'find_space'
Post a Comment