Convert X-Ways TSV data into TLN data for IEF Timeline Visualization


Today I’m pleased to announce a new free tool and a guest blog post from James Morris of the Queensland Police Service in Australia.

James came to me a couple weeks ago with a request to help him get some data out of X-Ways and into IEF for timeline visualization purposes. As most people involved in digital investigations know, being able to view a set of events or activities on a visual timeline can greatly assist in understanding a user’s actions and explaining what has occurred to other stakeholders including supervisors, attorneys, and jurors.

In the interest of helping James and other X-Ways users, I started to develop a tool that would convert TSV data exported from X-Ways into a standard TLN file that could then be loaded into IEF Timeline. James provided some sample TSV exports and feedback and the end result was a tool that makes the TSV-to-TLN conversion quick and easy.

James has been kind enough to write a tutorial which I’ve posted below. His contact information is at the bottom of the post should you need to contact him (any support requests should go through the Magnet support site however, and please don’t spam James :) ).

I would like to extend a thank-you to James for his help with this project and I hope other X-Ways users find it to be of value.

Here is the download link for the tool: Download TSV to TLN Converter


Tutorial for X-Ways TSV to TLN – IEF Timeline Viewer

X-Ways Forensics is a forensic computing application that provides a number features to its users. One of these features is the Events pane. After completing a Refine Volume Snapshot (RVS) operation, you can click on to this pane and view the events based on Timestamp and the other filtering options X-Ways is renowned for.

When you have just found the key events that will make your case, you can export these into a Tab Separated Value (TSV) file for use in an Excel Spread sheet.

X-Ways TSV to IEF Timeline

Fig. 1 – X-Ways Forensics events selected for export to TSV format.

Right mouse click on the selected items and select Export List.

The Export List options will come up where you can select the TSV format. You can choose the fields that will be exported out into the file, similar to the items outputted in the Report Tables.

As a minimum Select the Timestamp, Type, Category, Description, Name, Path, Type, Evidence object and Owner.

X-Ways TSV to IEF Timeline

Fig. 2 – Right mouse click for Export list and options to select for export

 

Make sure the file has the TSV extension on the end.

X-Ways TSV to IEF Timeline

In Excel 2010 the exported file appears as:

X-Ways TSV to IEF Timeline

Fig. 3 – Excel 2010 with the exported data from X-Ways Forensics 

If you wanted to do more with this information such create a timeline you would need to get this exported information into another format. The last few years have introduced the use of the TLN or Timeline format as defined by Harlan Carvey.  From the script by Kristinn Gudjonsson the following information describes the TLN format -

# The format was described in this blog post:
# http://windowsir.blogspot.com/2009/02/timeline-analysis-pt-iii.html
#
# And a better and more up-to-date description:
# http://windowsir.blogspot.com/2010/02/timeline-analysisdo-we-need-standard.html

https://code.google.com/p/log2timeline/source/browse/lib/Log2t/input/tln.pm?spec=svnef4ca959e05dbea35059daac81ffad704ec7ec6c&r=ef4ca959e05dbea35059daac81ffad704ec7ec6cMore information about the script can be read here –

With the data exported from X-Ways Forensics extra value added content can be generated in the way of a visual timeline. Selecting pertinent entries from the event pane and showing them graphically rather than in spread sheets is now possible.  The screenshot below is an example of some test internet data as a visual timeline using a new tool from Magnet Forensics.

X-Ways TSV to IEF Timeline

Jad Saliba from Magnet Forensics has kindly taken the challenge to produce a tool that converts the X-Ways generated TSV file into the TLN format. The generated TLN file can then be imported into IEF Timeline Viewer and the events viewed as a time line, giving you a visual representation of events against a time period.

X-Ways TSV to IEF Timeline

The features of this tool include a timezone adjustment  converter. This will read your timestamps and convert them back to UTC/GMT from the specified timezone. You will need to do this so that the timestamps will display correctly in IEF Timeline due to the timezone settings within the application.

X-Ways TSV to IEF Timeline

To convert the X-Ways Forensics TSV file to TLN format, open the TSV to TLN executable available from the Magnet Forensics website.

X-Ways TSV to IEF Timeline

Browse to the folder containing the TSV file and select it.

The TSV file selected has entries in it of files dated in the year 1829. Obviously these file entries are erroneous. The Timezone  Adjustment has been selected to reset the entries from the selected data timezone back to UTC. Daylight savings offsets do not apply to this timezone (UTC +10 Brisbane).

Timestamp dates before 1 January 1990 are converted to the Unix time value “1000000” in the TLN file in the converter. IEF Timeline will then filter out these lines from the TLN file so that are not displayed in the resulting timeline.

Once the file is converted to TLN format, open IEF Timeline and load the TLN file into the program.

X-Ways TSV to IEF Timeline

The screen will open to the show a timeline visualization of the entries exported from X-Ways Forensics where you can add value to your examination.

X-Ways TSV to IEF Timeline

As with the IEF case data, the timestamp and other fields are available to show the records that make up that part timeline.

Tutorial Summary –

  • X-Ways Forensics offers TSV export from the Events pane that can lend itself to timelines
  • Magnet Forensics has created a TSV to TLN format convertor so that timelines can be viewed in IEF Timeline
  • To create a X-Ways Forensics TSV for TLN conversion –
    • Complete the RVS operation
    • Go to the Events Pane and filter the entries for export
    • Export the entries and select the Timestamp, Type, Category, Description, Name, Path,  Type (under the Ext.), Evidence Object
    • Of these fields Timestamp, Type, Category are REQUIRED to translate to the TLN format fields. All other fields are put in the Description field of the TLN format.
    • Export the file and save it with a TSV extension.
    • Open the TSV to TLN Converter
    • Navigate to the folder with the TSV file.
    • Remember to adjust the entries to UTC via the time adjustment option in the tool
    • Click GO!
    • The file will be saved in the same folder as the TSV.
    • Open IEF Timeline and load the newly created TLN file
    • Sit back and behold the time line visualization.

 

James Morris
Investigative Computer Analyst
Electronic Evidence Examination Unit
Fraud and Cyber Crime Group
State Crime Command
Queensland Police Service, Australia
morris.jamesc (at) police.qld.gov.au 


 

Again, a big thanks to James for this walkthrough. If you have any questions or other suggestions/feedback, you can contact me at jad (at) magnetforensics.com.

Here’s the download link again (same as the one further up :) ): Download TSV to TLN Converter

Hope to see you at Blackhat later this week!