Wednesday, May 1, 2013

Melting snow, flash floods, and only a new 4n6time release ;-)


So where ever Kristinn Gudjonsson lives, there are apparently Flowers, blossoming trees and a new plaso release. That must be really nice. In Chicago we still have melting snow, flash floods, and only a new 4n6time release ;-)
 

For anyone that saw me speak at the HTCIA conference in Minnesota a few weeks ago, you know I am VERY excited about the new version of 4n6time (and some other soon to be released tools to make your timelines epic!). Months of development and user feedback have been put into this release. There’s really too much to list about "whats new", so here’s a few of my favorite improvements:
  • Updated plaso engine to version 1.0.1-1 (alpha) – As Kristinn pointed out the latest version of plaso has many new enhancements and features. Also included are 2 new parsers contributed by me (thank you Kristinn for the help), Symantec AV and Google Drive!
  • Control plaso with a mouse! – Create your timeline(s) using a simple yet comprehensive user wizard. Create a timeline from a disk image, mount point, directory, CSV file, or body file! Also take advantage of plaso’s amazing file filtering and pre-filtering capabilities.
  • Tabbing – Because one timeline is never enough you can now view and jump between multiple timelines (subsequent to filtering) in tabs within the data grid view.
  • VirusTotal integration – In addition to right clicking on an event and Viewing it with a external file viewer, MD5 hashing it, or exporting it, you can now check to see if it’s a known file in the VirusTotal database (provided an internet connection).
  • Speed – The tool has more or less been completely refactored. It is 5x faster. This includes opening saved database files instantly (no more loading!).
  • GUI –  Enhanced User Interface, charting, filtering tricks, and reporting.
  • So much more!!!!
It was almost a year ago, at the SANS DFIR summit, when Rob Lee gave me the opportunity to introduce 4n6time (then “l2t_Review”) to the community. I only had 360 seconds to show off the hundreds of hours of personal time I spent learning and developing the initial proof of concept.


Almost a year later, I am overwhelmed by the response from the community. 4n6time has been nominated for the 2013 forensic4cast award for the “Computer Forensic Software of the Year” and there are hundreds of folks using the tool all over the world. This has made every minute working on the project all so worth it.


As always, this project would not be possible without the existence and contributions to timeline creation tools. Special thanks to Kristinn Gudjonsson, Joachim Metz and others for development on log2timeline and now Plaso. Also a special thanks to Eric Wong who has been assisting me with the development these days.


You can download the latest Windows version of 4n6time (0.4) on Google Code.  Note you do not need to request a new cert file if you are an existing user, you can simply transfer your old cert file over to the new version following the directions in the FAQ. The FAQ is also a useful place for other common questions and getting started information. If you are completely new to plaso and/or 4n6time you may also want to check out the article Kristinn and I co-authored in issue 15 of Digital Forensic Magazine.


As always happy to answer any questions and look forward to receiving feedback as development starts on the next release.


Thanks!!!


-David Nides (@DAVNADS)

2 comments:

  1. Hi,
    I have just come across your site davnads.blogspot.com and would be really interested in chatting to you further about some advertising opportunities and partnerships that would be mutually beneficial for us.
    We work with a wide range of publishers in your niche and would like to also begin working with you.
    Please get in touch if you would be interested in discussing possible partnerships.
    Look forward to hearing from you soon,

    ReplyDelete