読者です 読者をやめる 読者になる 読者になる

[forensics] SuperTimeline

【旧】
# mount -o loop,ro,show_files,streams_interface=windows,offset=32256 /mnt/hgfs/image.dd /mnt/windows_mount
# log2timeline -z Japan -p -r -f winxp /mnt/windows_mount -w supertimeline.txt
# l2t_process -b supertimeline.txt > supertimeline.csv

【新】
# log2timeline.py -o 63 --parsers "win7" /cases/timeline/myhost.dump image.dd
# psort.py -w /cases/timeline/myhost.sorted.csv /cases/timeline/myhost.dump

【Windows】
log2timeline.exe -o 63 -z Japan -p --vss myhost.dump image.dd
psort.exe -z Japan -w supertimeline.txt myhost.dump

http://plaso.kiddaland.net/usage/upgrading-from-0-x-branch