Last active
April 11, 2023 03:57
-
-
Save iexpurgator/c7c7b945d5b100522da6920219a7960f to your computer and use it in GitHub Desktop.
Create Super Timline On Linux
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| sudo apt install dotnet-sdk-6.0 | |
| sudo apt install python3 python3-pip python3-venv | |
| sudo apt install libssl-dev | |
| # create virtual environment | |
| python -m venv venv | |
| source venv/bin/activate | |
| pip install plaso | |
| deactivate | |
| # <run with root> | |
| source venv/bin/activate | |
| # [install tutorial](https://command-not-found.com/virt-filesystems) | |
| virt-filesystems --a kape_triage.vhdx | |
| # [ouput] /dev/sda1 | |
| mkdir /mnt/kape-triage | |
| guestmount --add kape_triage.vhdx -m /dev/sda1 --ro /mnt/kape-triage | |
| # MFT body ([link download net6](https://ericzimmerman.github.io/#!index.md)) | |
| dotnet MFTECmd.dll -f '/mnt/kape-triage/C/$MFT' --body ./timeline --bodyf hostname.body --blf --bdl c | |
| # parse to plaso | |
| log2timeline.py --status_view window --parsers '!mft,!filestat' --storage_file timeline/hostname.plaso /mnt/kape-triage/C | |
| guestunmount /mnt/kape-triage | |
| # add MFT | |
| log2timeline.py --status_view window --parsers "mactime" --storage_file timeline/hostname.plaso timeline/hostname.body | |
| # export to CSV | |
| psort.py -o L2tcsv timeline/hostname.plaso -w timeline/hostname.csv | |
| # export to CSV with time | |
| psort.py -o L2tcsv --slice "2020-10-24T00:00:00" --slice_size 100000 timeline/hostname.plaso -w timeline/hostname.csv | |
| # exit virtual environment | |
| deactivate |
install .net6 on old version ubuntu learn.microsoft.com/en-us/dotnet/core/install/linux-ubuntu
sudo apt-get install gcc libpq-dev -y
sudo apt-get install python-dev python-pip -y
sudo apt-get install python3-dev python3-pip python3-venv python3-wheel -y
pip3 install wheel
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
If you want to use WSL instead of a real virtual machine (like VMWare), look at this article:
https://blog.codybunch.com/2020/10/16/WSL2-Mount-vhdx-to-WSL2/