TIMESCANNER(1) User Contributed Perl Documentation TIMESCANNER(1)NAMEtimescanner - A recursive scanner to produce timeline data extracted
from file artifacts
DESCRIPTION
timscanner recursively scans through a directory (such as a mounted
filesystem) and extracts timestamp data gathered from the files that
the tool log2timeline supports. This tool is written as a separate
tool from log2timeline but will be integrated in the tool soon.
SYNOPSIStimescanner [OPTIONS] -z TIMEZONE [-f INPUT MODULE] [-o OUTPUT MODULE]
[-w BODYFILE] [-v] -d|-dir DIRECTORY
See man timescanner for full details of options to use.
OPTIONS
-d|-dir DIRECTORY
This option is mandatory for the tool to operate. This option
defines the starting directory which the tools recursively
searches for supported artifacts.
-s|-skew TIME
Time skew of original machine. The format of the variable TIME
is: X | Xs | Xm | Xh, where X is a integer and s represents
seconds, m minutes and h hours (default behaviour is sec onds)
-m TEXT Prepend the output line with TEXT, for instance by using -m
HOSTNAME to include a hostname in the output
-o|-output FORMAT
Use the following output format. By default log2timeline uses
the csv output. To see a list of all available output formats,
use -o list
-w|-write FILENAME
Specify a file to write output to (otherwise STDOUT will be
chosen).
-z|-zone TIMEZONE
This option defines the timezone that was used on the computer
that the log files belonged to. The default value for this
variable is the local timezone of the computer timescanner is
run on.
-log FILENAME
Specify a file to write error and information messages from the
log2timeline to a file, otherwise STDERR will be used.
-name HOST
Define the host name that the information is extracted from.
-c|-calculate
If this option is used then a MD5 sum for each file that passes
verification is calculated and included in the timestamp object
-x Make timescanner skip the default minimalist test to see if a
file can be parsed by the supplied input module.
-V|-Version
Display the version number
-v|-verbose
Add the verbose level of output, or debug level. This option
can be provided twice to get an extra level of verbosity (two
levels available)
-h|-help|-?
Display this help message
-f|--format MODULE
The option of -f can be used to select which modules are used
in timescanner when recursively searching through the directory
supplied to the tool. The option MODULE can be any of the four
listed here:
-f list Print a list of all available modules the tool
supports, alongside a print-out of the available lists
(preselected modules that can be chosen)
-f NAME OF A MODULE
If a list of available modules is presented, only those
modules will be used by the tool. One module can be
supplied, or a list separated with a comma (,). An
example
timescanner-z local -f evtx,oxml,pdf -d .
This will run timescanner on the current directory and
only use the modules evtx, oxml and pdf in the process.
-f="-NAME OF A MODULE"
This option can be used to exclude a given module from
being run (either a single one or a list, separated
with a comma), an example:
timescanner-z local -f="-evtx,exif" -d .
This will run the tool against the current directory
and use all of the modules available EXCEPT the evtx
and exif ones.
-f NAME OF A LIST
There exist few available presets, or lists of
available modules that can be used. See the available
lists by issuing timescanner-f list. An example
timescanner-z local -f winxp -d /mnt/xpimage
This will run the tool against the directory
/mnt/xpimage, and only use the modules that are
associated to a Windows XP system, according to the
winxp list file.
-e|--exclude STRING
A comma separated list of files to exclude from the scan. If a
particular file has caused the tool to crash or not work, or
you simply want to exclude some documents from the scan it is
possible to exclude some
Example:
timescanner-f winvista -z local -d /mnt/windows -e
'Windows-Diagnosis,secret[0-3]'
This would scan all the directory /mnt/windows
recursively, using only modules associated to a Windows
Vista or later operating system, and excluding all
filenames that have "Windows-Diagnosis" in them or
contain the word secret0/secret1/secret2 or secret3 in
it.
AUTHOR
Kristinn Gudjonsson <kristinn (a t) log2timeline ( d o t ) net> is the
original author of the program.
COPYRIGHT
The tool is released under GPL so anyone can contribute to the tool.
Some parts of the code have been copied from other GPL'ed programs,
such as RegRipper written by H. Carvey.
SEE ALSO
log2timeline
perl v5.20.2 2012-05-22 TIMESCANNER(1)