Forensicswiki.org has moved to this site, forensicswiki.xyz. For information, please join the Google Group forensicswiki-reborn
He specifies the following 5 | separated fields:
Time - 32-bit POSIX (or Unix) epoch timestamp
It is unclear if negative timestamps are supported or how values that overflow the 32-bit should be represented.
Since the author has been, so far, unable provide the actual representation this field it is assumed to be a (decimal) numeric string of the number of seconds since Jan 1, 1970 00:00:00 (both positive and negative) in an externally defined timezone. This would make it equivalent to that of the (Linux) date command e.g.
date -u -d@0 Thu Jan 1 00:00:00 UTC 1970
date -u -d@$(( 1 << 31 )) Tue Jan 19 03:14:08 UTC 2038
date -u -d@$(( -1 * ( 1 << 31 ) )) Fri Dec 13 20:45:52 UTC 1901
Note that the 32-bit size of the value is only an artificial limitation and modern versions of (Linux) date have support for signed 64-bit values.
Source - fixed-length field for the source of the data (i.e., file system, Registry, EVT/EVTX file, AV or application log file, etc.) and may require a key or legend.
As far known there is no list of predefined common sources. The author indicates there is none but there might be an implicit one in the tools by the same author.
According to the author the field is approx 8 char in length.
Host - The host system, defined by IP or MAC address, NetBIOS or DNS name, etc. (may also require a key or legend)
User - User, defined by user name, SID, email address, IM screenname, etc. (may also require a key or legend)
Description - The description of what happened; this is where context comes in...
In addition the Description field seems to be allowed to be overloaded with ; separated values. An example from the same blog post:
Where it looks like the separated fields in the Description are not pre-defined.
Known variants of TLN are:
- l2tTLN (log2timeline TLN); which extends the format with a TZ (timezone) and Notes field.