Difference between revisions of "TLN"

From ForensicsWiki
Jump to: navigation, search
Line 1: Line 1:
TLN is a timeline format (as far known) introduced in a [http://windowsir.blogspot.ch/2009/02/timeline-analysis-pt-iii.html blog post] by [[Harlan Carvey]].
+
TLN is a timeline format (as far known) introduced in a [http://windowsir.blogspot.com/2009/02/timeline-analysis-pt-iii.html blog post] by [[Harlan Carvey]].
  
 
He specifies the following 5 | separated fields:
 
He specifies the following 5 | separated fields:
Line 32: Line 32:
  
 
== External Links ==
 
== External Links ==
* [http://windowsir.blogspot.ch/2009/02/timeline-analysis-pt-iii.html TimeLine Analysis, pt III], by [[Harlan Carvey]], February 28, 2009
+
* [http://windowsir.blogspot.com/2009/02/timeline-analysis-pt-iii.html TimeLine Analysis, pt III], by [[Harlan Carvey]], February 28, 2009
* [http://windowsir.blogspot.ch/2010/02/timeline-analysisdo-we-need-standard.html Timeline Analysis...do we need a standard?], by [[Harlan Carvey]], February 08, 2010
+
* [http://windowsir.blogspot.com/2010/02/timeline-analysisdo-we-need-standard.html Timeline Analysis...do we need a standard?], by [[Harlan Carvey]], February 08, 2010
 
* [https://code.google.com/p/log2timeline/source/browse/lib/Log2t/output/tln.pm log2timeline variant of TLN]
 
* [https://code.google.com/p/log2timeline/source/browse/lib/Log2t/output/tln.pm log2timeline variant of TLN]
  
 
[[Category:Timeline Analysis]]
 
[[Category:Timeline Analysis]]

Revision as of 11:19, 26 March 2015

TLN is a timeline format (as far known) introduced in a blog post by Harlan Carvey.

He specifies the following 5 | separated fields:

Time|Source|Host|User|Description

Time - 32-bit POSIX (or Unix) epoch timestamp

It is unclear if negative timestamps are supported or how values that overflow the 32-bit should be represented.

Source - fixed-length field for the source of the data (i.e., file system, Registry, EVT/EVTX file, AV or application log file, etc.) and may require a key or legend.

As far known there is no list of predefined common sources.

Host - The host system, defined by IP or MAC address, NetBIOS or DNS name, etc. (may also require a key or legend)

User - User, defined by user name, SID, email address, IM screenname, etc. (may also require a key or legend)

Description - The description of what happened; this is where context comes in...

In addition the Description field seems to be allowed to be overloaded with ; separated values. An example from the same blog post:

1123619888|EVT|PETER|S-1-5-18|Userenv/1517;EVENTLOG_WARNING_TYPE;PETER\Harlan

Where it looks like the separated fields in the Description are not pre-defined.

Variants

Known variants of TLN are:

  • l2tTLN (log2timeline TLN); which extends the format with a TZ (timezone) and Notes field.

External Links