Difference between revisions of "Talk:TLN"

From ForensicsWiki
Jump to: navigation, search
Line 25: Line 25:
 
[[User:Joachim Metz|Joachim]] ([[User talk:Joachim Metz|talk]]) 09:00, 2 April 2015 (EDT) Is there an online publicly available version of this list?
 
[[User:Joachim Metz|Joachim]] ([[User talk:Joachim Metz|talk]]) 09:00, 2 April 2015 (EDT) Is there an online publicly available version of this list?
  
 +
[[User:Keydet89]] ([[User talk:Keydet89|talk]]) Does there need to be?  I wasn't aware that there needed to be, and until now, no one has said anything about this...
  
 
Description - The description of what happened; this is where context comes in...
 
Description - The description of what happened; this is where context comes in...

Revision as of 13:44, 2 April 2015

Time - 32-bit POSIX (or Unix) epoch timestamp

It is unclear if negative timestamps are supported or how values that overflow the 32-bit should be represented.

Keydet89 April 2, 2015 12:08:33 Joachim, I'm not sure what you're asking here. I haven't yet encountered a "negative timestamp", nor "values that overflow the 32-bit".

Joachim (talk) 09:00, 2 April 2015 (EDT) For one I'm not asking a question. I'm observing that TLN (or at least the public available information about it) does not state how timestamps should be handled that do not fall into the positive 32-bit. It is nice of you that you are sharing your experiences here but that does not help the format one bit (pun intended). To rephrase this comment into a question you might understand: How does TLN represent timestamps that fall outside the positive 32-bit (or actually 31-bit?) range of the POSIX (or Unix) timestamp. Also see: http://en.wikipedia.org/wiki/Unix_time


Source - fixed-length field for the source of the data (i.e., file system, Registry, EVT/EVTX file, AV or application log file, etc.) and may require a key or legend.

As far known there is no list of predefined common sources.

Keydet89 April 2, 2015 12:08:33 "Windows Forensic Analysis, 4/e" chapter 7 includes several, as does the TLN application used to add individual entries to a timeline. The field is approx 8 char in length, and is intended to provide context to the timestamped event being recorded in the timeline. Many of the tools I've provided (they are freely available) that produce TLN output will embed the Source field in the output.

Joachim (talk) 09:00, 2 April 2015 (EDT) Is there an online publicly available version of this list?

User:Keydet89 (talk) Does there need to be? I wasn't aware that there needed to be, and until now, no one has said anything about this...

Description - The description of what happened; this is where context comes in...

In addition the Description field seems to be allowed to be overloaded with ; separated values. An example from the same blog post:

1123619888|EVT|PETER|S-1-5-18|Userenv/1517;EVENTLOG_WARNING_TYPE;PETER\Harlan

Where it looks like the separated fields in the Description are not pre-defined.

Keydet89 April 2, 2015 12:08:33

  • No, it is not predefined, because it varies, depending upon the data source. For example, data derived from the file system

(such as via TSK fls.exe) will include "FILE" as the source, and the Description field will start with a "MACB" field, filled in accordingly as it pertains to the timestamp. I wrote an MFT parser that displays the information, using "MFT_SI" or "MFT_FN" for the Source, and includes the "MACB" field accordingly. Registry key LastWrite times will ONLY have an "M..." field, and that "MACB" field is not used in the Description field for data sources to which it simply does not apply (i.e., the last printed time of an MSOffice document, derived from it's metadata).

Joachim (talk) 09:00, 2 April 2015 (EDT) By source do you mean the "Source" field? Please be more specific you are proposing a standard not a knitting class (no offence to knitting class organizers). How does someone without prior knowledge about TLN implement it as an output format? If description is dependent on source then what should it be for the different sources. Please specify.