Sunday, August 10, 2014

4n6time v.06 - minor update

I posted a new version of 4n6time for Windows only. Download link here:

Not many significant changes. Below is a short summary.
-Using latest plaso "release v.1.1.0" source code base dated early June. Also includes newer versions of the plaso dependencies dated as of early August. 
-Lots of bug fixes and minor GUI tweeks.
-Extended image support (consistent with plaso) for timeline creation. Note file interaction is only supported with Raw disk images atm. 
-Enhanced timeline creation wizard (e.g. disk scanner implementation, parser selection gui, etc.)
-New window/pane to monitor plaso timeline creation process. 
-Lots of other little things, minor speed improvements, etc.

To be honest I did not do as much testing this time around then previous releases so encourage feedback, issues, questions, bugs, whatever just let me know. I just didn't want to delay the release any further. 

I'll also try to work with Kristinn when he gets some time to try to create a linux / SIFT 3.0 release!

Sunday, February 16, 2014

4n6time v.05 - anyone know how I get a tax write off on this???

I been super busy and actually forgot to announce that I posted 4n6time, v.05 a few months ago. So here it is boys and girls. As always none of this would be possible without the tools that create timeline data (e.g. log2timelineplaso) and the help of MANY people.

Before I get into what's new, I would like to quickly reflect. 4n6time was introduced as a proof of concept application demo'ed at the 2011 SANS 360 Summit and has grown into a global user base. In 2013, 4n6time was nominated for the "tool of the year" award by forensic4cast (vote again this year!).

I remember joking that 4n6time would be free to everyone except LE. A lot of people laughed at that joke. However, in hindsight LE is one of my primary motivators to continue to invest personal time and expenses in this project.

Mid last year I received an e-mail stating 4n6time was used to help prosecute a murder case by presenting a complex set of data to a jury in a way they could understand. A few weeks later I received an email that 4n6time helped a family understand the facts leading up to a suicide. I get testimonial emails like this all the time from people.

Hearing feedback that Davnads potentially impacted someones live is surreal. It really is. Now only if I can figure out how to get a tax write off on this??? Lol.

The general feedback I get is that 4n6time does not make evidence available that other tools do not. It just makes evidence more readily accessible, presents it in a way that is logical, and makes telling the story easy with a mouse. In fact I think the download counts from last year speak for themselves. Although I suspect Kristinn would argue that the logs all point to Davnads downloading his own tool ;-)

I guess the reason I am sharing this story is to encourage others to contribute to existing projects like plaso or new projects. Everyone has to start somewhere and you never know where it will end up. I am also sharing this to thank people for the feedback. If it wasent for the emails, challenge coins, patches and other swagg I probably would have stopped investing in this project a long time ago.

Now let's take a look at what's under the hood in 4n6time, v.0.5...
  • Contains latest "release" of plaso v.1.1.0 and dependencies. 
  • More intuitive create timeline wizard with ability to enable parser(s) visually amongst other enhancements.
  • Ability to interact with all charts (e.g. click on source and update data grid view to only show source).
  • Mouse hover over "tool tips" on all major buttons.
  • Filter query preview (e.g. how many/types of results will be returned).
  • Filter pivoting in data grid view based on various time criteria.
  • Enhanced charting and reporting.
  • EVT ID look up / deeper VT integration.
  • More export to CSV options.
  • Every time data is added to database prompts for evidence number. Used to differentiate multiple data sources in timeline.
  • Advanced filtering.
  • Lots of GUI enhancements and better error handling.
  • Proof of concept MySQL back end - this adds a collaborative (server/client) review approach to timeline analysis. Also allows to scale timelines a lot more efficiently. 

Note: There is a beta linux version (thanks to Kristinn Gudjonsson). This should be part of new SIFT 3.0. The OSX version has not been compiled yet. I'll try to get this done in the next few weeks.