log2timeline-sift command missing

[fligi7]

When issuing "log2timeline-sift" command, it returns a "command not found" error.

This is on the default install (unzip SIFT 3.0 to Virtual Machine directory, open Virtual machine, start it up, issue command in terminal).

[ekristen]

It should just be log2timeline

[fligi7]

Meaning the "log2timeline-sift" command (which existed in v2.14) has been removed from the SIFT distribution as of v3.0?

[ekristen]

Meaning that the command is just log2timeline, I believe the -sift had some specific changes that are no longer necessary.

[fligi7]

Ok, so log2timeline now performs the same functions as log2timeline-sift.

The log2timeline-cheatsheet.pdf distributed with SIFT 3.0 still references log2timeline-sift as an available command, so that needs to be updated.

[jklipsch]

With log2timeline-sift gone, how does one use log2timeline parse/extract from a logical/partition drive that's in the /mnt/ewf folder? The -i switch appears to be reserved for log2timeline-sift.

[fligi7]

Since this feature is gone, you'll need to mount the image and partition you'd like to parse (which used to be automated by the *-sift command).

I suggest mounting the raw ewf file, just as you would any other dd/raw image, with the mount command. Then, find the offset of the partition you'd like to mount using the mmls command, mount that partition to a /mnt/* folder, then point log2timeline to that folder with the "-r" option to recurse.

[ekristen]

Thansk @jklipsch -- I'm checking into the origin of the -i option, but given it wasn't apart of the original log2timline or the new plaso version, I'm hesitant to try and get it added back in. I'm trying to keep sift to developer packages only, so we can make sure everything keeps up to date.

[ekristen]

We are talking about whether or not to add the script back in, but it is becoming old and legacy code now.

The functionality provided by -i is built into the new log2timeline/plaso combination ... here is an explanation from the author.

This is all done automatically in the new tool, no need for a -i parameter, just do 

log2timeline.py /cases/whereidropmystoragefile/storage.dump pathtomyimagefile.E01/dd/whatever

And the tool reads in the image and does not need to mount it at all, it can just read the image directly. if there are partitions it will read the partition.```

[fligi7]

I just tried running the command on SIFT 3.0 as stated above and it doesn't work. I've pointed it to both a source .E01 and a mounted E01 image via ewfmount (i.e. the raw image file it mounts), neither with success. The command simply exits.

The only way I've found to successfully run log2timeline is to mount the filesystem and run it against the root of the mounted filesystem with the "-r" option.

Can you please confirm whether or not we should be able to simply point l2t to an image file and, if so, how (as the above instructions do not work)?

[fligi7]

I have realized the confusion here. There are two commands within SIFT 3.0:

log2timeline log2timeline.py

The former is what I've been using/referencing ,as that is what is used and described for timeline creation within the latest SIFT 3.0 documentation located at "readthedocs.org". However, I've just discovered that the latter is a completely separate command that actually provides the functionality described here by ekristen. Up until just now, I did not realize they were two distinctly different commands as the latest documentation makes no reference to the latter.

This might be something you all want to clarify within the latest documentation so that others may not be confused as well.

[DrexxL]

Thanks for this guys! I've been meaning to write my feedback for a while now, but yes I concur with "fligi7" in using log2timeline.py for the processing of dd'ed images.

[ekristen]

@fligi7 I'll make note to update the documentation.

[ekristen]

Resolved https://github.com/sans-dfir/sift-docs/commit/f6581ecf98dba1e61014e9e054a8520823b0c030