Hacker News new | ask | show | jobs
by pretty_lorelei 2519 days ago
They explain the reason in README:

  usbrip works with non-modified structure of system log files only, so, unfortunately, it won't be able to parse USB history if you change the format of syslogs (with syslog-ng or rsyslog, for example). That's why the timestamps of "Connected" and "Disconnected" fields don't have the year, by the way. Keep that in mind.
3 comments
jaclaz 2519 days ago
Well, no, that is a non-explanation.

If the format of syslogs doesn't change there should be no issues (or should it be read as "the system logs don't have the year"? )

If you don't have the year, it is not a "full date" in the forensic sense of the term, and you simply cannot present such a result in a Court.

A statement like "A Netac USB device was connected on May 26, presumably in the year 2019, exactly at 00:51:54 and soon after disconnected, exactly at 00:52:21" won't be good.

If it is technically not possible to retrieve the year, then the whole stuff has very little relevance on itself.

It would be needed to create a complete timeline of the system under investigation and correlate the month, day, time with activities that have an objective timestamp including the year.

link
pretty_lorelei 2519 days ago
> or should it be read as "the system logs don't have the year"? That's the case. RFC 3164, which specifies the log format, is the only one usbrip can read, and it doesn't have an option to specify year.
link
jaclaz 2519 days ago
Well, then the tool has no actual "forensics" use by itself.

It's a pity, of course, but it can only be a tool to confirm findings that have a "proper" timestamp.

Most probably the log consists of "appended" entries that might mitigate the issue, still it is needed a clear and extended "justification" to the procedure with wich the year is "attributed" to the yearless entry for forensics use.

link
pitaj 2519 days ago
Please don't quote with code blocks. Use italics or quote arrows instead.

Reading that on mobile was painful.

link
pretty_lorelei 2519 days ago
Oh, sorry. My third-party app previewed it just fine, but I've just tried it in the browser now and I promise I'll never do such thing again.
link
somacert 2519 days ago
Well that's unfortunate, I tend to be rather militant about switching my syslog to something resembling rfc 3339.

linux /etc/rsyslog.conf $ActionFileDefaultTemplate RSYSLOG_FileFormat

openbsd /etc/rc.conf.local syslogd_flags="-Z"

link