Today I’m pleased to announce a new free tool and a guest blog post from James Morris of the Queensland Police Service in Australia.
James came to me a couple weeks ago with a request to help him get some data out of X-Ways and into IEF for timeline visualization purposes. As most people involved in digital investigations know, being able to view a set of events or activities on a visual timeline can greatly assist in understanding a user’s actions and explaining what has occurred to other stakeholders including supervisors, attorneys, and jurors.
In the interest of helping James and other X-Ways users, I started to develop a tool that would convert TSV data exported from X-Ways into a standard TLN file that could then be loaded into IEF Timeline. James provided some sample TSV exports and feedback and the end result was a tool that makes the TSV-to-TLN conversion quick and easy.
James has been kind enough to write a tutorial which I’ve posted below. His contact information is at the bottom of the post should you need to contact him (any support requests should go through the Magnet support site however, and please don’t spam James ).
I would like to extend a thank-you to James for his help with this project and I hope other X-Ways users find it to be of value.
Here is the download link for the tool: Download TSV to TLN Converter
Tutorial for X-Ways TSV to TLN – IEF Timeline Viewer
X-Ways Forensics is a forensic computing application that provides a number features to its users. One of these features is the Events pane. After completing a Refine Volume Snapshot (RVS) operation, you can click on to this pane and view the events based on Timestamp and the other filtering options X-Ways is renowned for.
When you have just found the key events that will make your case, you can export these into a Tab Separated Value (TSV) file for use in an Excel Spread sheet.
Fig. 1 – X-Ways Forensics events selected for export to TSV format.
Right mouse click on the selected items and select Export List.
The Export List options will come up where you can select the TSV format. You can choose the fields that will be exported out into the file, similar to the items outputted in the Report Tables.
As a minimum Select the Timestamp, Type, Category, Description, Name, Path, Type, Evidence object and Owner.
Fig. 2 – Right mouse click for Export list and options to select for export
Make sure the file has the TSV extension on the end.
In Excel 2010 the exported file appears as:
Fig. 3 – Excel 2010 with the exported data from X-Ways Forensics
If you wanted to do more with this information such create a timeline you would need to get this exported information into another format. The last few years have introduced the use of the TLN or Timeline format as defined by Harlan Carvey. From the script by Kristinn Gudjonsson the following information describes the TLN format -
# The format was described in this blog post:
# And a better and more up-to-date description:
https://code.google.com/p/log2timeline/source/browse/lib/Log2t/input/tln.pm?spec=svnef4ca959e05dbea35059daac81ffad704ec7ec6c&r=ef4ca959e05dbea35059daac81ffad704ec7ec6cMore information about the script can be read here –
With the data exported from X-Ways Forensics extra value added content can be generated in the way of a visual timeline. Selecting pertinent entries from the event pane and showing them graphically rather than in spread sheets is now possible. The screenshot below is an example of some test internet data as a visual timeline using a new tool from Magnet Forensics.
Jad Saliba from Magnet Forensics has kindly taken the challenge to produce a tool that converts the X-Ways generated TSV file into the TLN format. The generated TLN file can then be imported into IEF Timeline Viewer and the events viewed as a time line, giving you a visual representation of events against a time period.
The features of this tool include a timezone adjustment converter. This will read your timestamps and convert them back to UTC/GMT from the specified timezone. You will need to do this so that the timestamps will display correctly in IEF Timeline due to the timezone settings within the application.
To convert the X-Ways Forensics TSV file to TLN format, open the TSV to TLN executable available from the Magnet Forensics website.
Browse to the folder containing the TSV file and select it.
The TSV file selected has entries in it of files dated in the year 1829. Obviously these file entries are erroneous. The Timezone Adjustment has been selected to reset the entries from the selected data timezone back to UTC. Daylight savings offsets do not apply to this timezone (UTC +10 Brisbane).
Timestamp dates before 1 January 1990 are converted to the Unix time value “1000000” in the TLN file in the converter. IEF Timeline will then filter out these lines from the TLN file so that are not displayed in the resulting timeline.
Once the file is converted to TLN format, open IEF Timeline and load the TLN file into the program.
The screen will open to the show a timeline visualization of the entries exported from X-Ways Forensics where you can add value to your examination.
As with the IEF case data, the timestamp and other fields are available to show the records that make up that part timeline.
Tutorial Summary –
Investigative Computer Analyst
Electronic Evidence Examination Unit
Fraud and Cyber Crime Group
State Crime Command
Queensland Police Service, Australia
morris.jamesc (at) police.qld.gov.au
Again, a big thanks to James for this walkthrough. If you have any questions or other suggestions/feedback, you can contact me at jad (at) magnetforensics.com.
Here’s the download link again (same as the one further up ): Download TSV to TLN Converter
Hope to see you at Blackhat later this week!