Wanted to give a quick shout out to Kristinn Guðjónsson, one of the SANS blog authors, who released a Alternative Timeline Generation tool, log2timeline, that will enable the addition of time artifacts to a body file in addition to Registry last write times and file system MACB times.
http://blog.kiddaland.net/2009/08/log2timeline-artifact-timeline-analysis-part-i/
Current version of the tool parses the following artifacts:
- Prefetch directory (reads the content of the directory and parses files found inside)
- UserAssist key info (reads the NTUSER.DAT user registry file to parse the content of UserAssist keys)
- Squid access logs (with emulate_httpd_log off)
- Restore points (reads the content of the directory and parses rp.log file inside each restore point)
- Windows shortcut files (LNK)
- Windows Recycle Bin (INFO2)
To learn how to create a basic timeline with registry and file system artifacts look here: http://sansforensics.wordpress.com/2009/02/24/digital-forensic-sifting-registry-and-filesystem-timeline-creation/
Wonderful tool Kristinn! Keep it up!