He specifies the following 5 | separated fields:
Time - 32-bit POSIX (or Unix) epoch timestamp
It is unclear if negative timestamps are supported or how values that overflow the 32-bit should be represented.
Joachim, I'm not sure what you're asking here. I haven't yet encountered a "negative timestamp", nor "values that overflow the 32-bit".
Source - fixed-length field for the source of the data (i.e., file system, Registry, EVT/EVTX file, AV or application log file, etc.) and may require a key or legend.
As far known there is no list of predefined common sources.
"Windows Forensic Analysis, 4/e" chapter 7 includes several, as does the TLN application used to add individual entries to a timeline. The field is approx 8 char in length, and is intended to provide context to the timestamped event being recorded in the timeline. Many of the tools I've provided (they are freely available) that produce TLN output will embed the Source field in the output.
Host - The host system, defined by IP or MAC address, NetBIOS or DNS name, etc. (may also require a key or legend)
User - User, defined by user name, SID, email address, IM screenname, etc. (may also require a key or legend)
Description - The description of what happened; this is where context comes in...
In addition the Description field seems to be allowed to be overloaded with ; separated values. An example from the same blog post:
Where it looks like the separated fields in the Description are not pre-defined.
- No, it is not predefined, because it varies, depending upon the data source. For example, data derived from the file system
(such as via TSK fls.exe) will include "FILE" as the source, and the Description field will start with a "MACB" field, filled in accordingly as it pertains to the timestamp. I wrote an MFT parser that displays the information, using "MFT_SI" or "MFT_FN" for the Source, and includes the "MACB" field accordingly. Registry key LastWrite times will ONLY have an "M..." field, and that "MACB" field is not used in the Description field for data sources to which it simply does not apply (i.e., the last printed time of an MSOffice document, derived from it's metadata).
Known variants of TLN are:
- l2tTLN (log2timeline TLN); which extends the format with a TZ (timezone) and Notes field.