TLN

From ForensicsWiki
Revision as of 11:19, 26 March 2015 by Joachim Metz (Talk | contribs)

Jump to: navigation, search

TLN is a timeline format (as far known) introduced in a blog post by Harlan Carvey.

He specifies the following 5 | separated fields:

Time|Source|Host|User|Description

Time - 32-bit POSIX (or Unix) epoch timestamp

It is unclear if negative timestamps are supported or how values that overflow the 32-bit should be represented.

Source - fixed-length field for the source of the data (i.e., file system, Registry, EVT/EVTX file, AV or application log file, etc.) and may require a key or legend.

As far known there is no list of predefined common sources.

Host - The host system, defined by IP or MAC address, NetBIOS or DNS name, etc. (may also require a key or legend)

User - User, defined by user name, SID, email address, IM screenname, etc. (may also require a key or legend)

Description - The description of what happened; this is where context comes in...

In addition the Description field seems to be allowed to be overloaded with ; separated values. An example from the same blog post:

1123619888|EVT|PETER|S-1-5-18|Userenv/1517;EVENTLOG_WARNING_TYPE;PETER\Harlan

Where it looks like the separated fields in the Description are not pre-defined.

Variants

Known variants of TLN are:

  • l2tTLN (log2timeline TLN); which extends the format with a TZ (timezone) and Notes field.

External Links