Installing log2timeline on SIFT – Updated Instructions for Ease of Use

If you use the SANS Investigative Forensic Toolkit (SIFT) Workstation for your forensic analysis you can easily add log2timeline to your VMware guest image. In order to get these files using the wget, yum, and cpan methods you must ensure that your SIFT workstation has its interface set to ‘bridged’ or ‘NAT’ mode so that it can get out to the Internet.

Steps to Install log2timeline on SIFT

1. Download the log2timeline archive to your SIFT workstation
[root@SIFTWorkstation ~]# wget

2. Extract the archive
[root@SIFTWorkstation ~]# tar zxvf log2timeline_0.33b.tgz

3. Change to the log2timeline directory
[root@SIFTWorkstation ~]# cd log2timeline

4. Install some of the dependancies using yum
[root@SIFTWorkstation ~]# yum install perl-DateTime perl-Net-Pcap perl-Archive-Zip perl-HTML-Scrubber perl-Image-ExifTool perl-Glib

5. Install the NetPacket::Ethernet module
[root@SIFTWorkstation ~]# perl -MCAPNPLUS -e 'install NetPacket::Ethernet'

6. Install the ExtUtils::Depends and ExtUtils::PkgConfig modules
[root@SIFTWorkstation ~]# perl -MCPANPLUS -e 'install ExtUtils::Depends'
[root@SIFTWorkstation ~]# perl -MCPANPLUS -e 'install ExtUtils::PkgConfig'

7. Install the Glib, Cairo, Pango, and Gtk2 modules
[root@SIFTWorkstation ~]# perl -MCPANPLUS -e 'install Glib'
[root@SIFTWorkstation ~]# perl -MCPANPLUS -e 'install Cairo'
[root@SIFTWorkstation ~]# perl -MCPANPLUS -e 'install Pango'
[root@SIFTWorkstation ~]# perl -MCPANPLUS -e 'install Gtk2'

8. Compile log2timeline
[root@SIFTWorkstation log2timeline]# perl Makefile.PL && make && make install

9. Execute the log2timeline script using the ‘-f list’ flag to test the installation
[root@SIFTWorkstation log2timeline]# log2timeline -f list

That’s it. If the log2timeline -f list command displayed all available log file formats you should be good to go. In my experience, if a particular module is missing you will receive an error when running this file (in a different place depending on what is missing).

Now you should probably take a snapshot of your SIFT image so that you don’t revert back and lose your log2timeline application. If you would like more information on log2timeline there is a great article here: and the log2timeline project page can be found here:

Scroll to top