280 likes | 612 Views
Timeline Analysis. Harlan Carvey : Windows Forensic Analysis Toolkit, Chapter 7. Time Line Analysis. Lists all system events, files, browser activities in chronological order Multiple data sources Multiple systems Becoming very important in forensic analysis Approaches
E N D
Timeline Analysis Harlan Carvey: Windows Forensic Analysis Toolkit, Chapter 7
Time Line Analysis • Lists all system events, files, browser activities in chronological order • Multiple data sources • Multiple systems • Becoming very important in forensic analysis • Approaches • Automatically gather everything • Kristinn Gudjonsson : log2timeline • Pick and choose • Harlan Carvey: This presentation
Carvey’s Approach • Command line driven • Multiple tools • Guided by the objectives of the investigation • Looking for system files with date/time info • Biggest is in the MFT • $STANDARD_INFORMATION attribute • Event logs • Registry – every entry has time associated with it • Browser logs
Get the Right Tools • Windows Forensic Analysis Toolkit • Harlan Carvey’s book • Emphasis is on Windows 7 • Get his tools for the book here • http://code.google.com/p/winforensicaanalysis/downloads/list • Sleuthkit • Fls • FTK Imager
Temporal Proximity • The more current the time info is the more accurate it may be • Because times may be altered multiple references to a particular time will increase the confidence in that time
TLN Format • Pipe “|” delimited text file • 5 fields • Time | Source | System | User | Description • Easy to parse • The user and description fields are relatively free form
Time Field • 32-bit Unix time format • UTC • Granularity to the second • Not sufficient for time stomping analysis base of MFT times
Time Formats • 64-bit FILETIME (UTC) • Number of 100 nanosecond intervals since 1/1/1601 • 32-bit Unix time format (UTC) • Number of seconds since 1/1/1970 • String based format (local time) • 01/01/2010 2:42 PM • SYSTEMTIME (local time) • Used some registry entries and some XP times
Time FormatMost often used in Windows typedef struct _FILETIME { DWORD dwLowDateTime; DWORD dwHighDateTime; } FILETIME, *PFILETIME; BOOL WINAPI FileTimeToSystemTime( _In_ const FILETIME *lpFileTime, _Out_ LPSYSTEMTIME lpSystemTime ); typedef struct _SYSTEMTIME { WORD wYear; WORD wMonth; WORD wDayOfWeek; WORD wDay; WORD wHour; WORD wMinute; WORD wSecond; WORD wMilliseconds; } SYSTEMTIME, *PSYSTEMTIME;
Source Field • FILE – file system create dates • EVT – XP, 2000, 2003 event logs • EVTX – Vista and 7 event logs • REG – registry dates • Etc.
System Field • System name • Host name • IP Address • MAC Address
User Field • User associated with the event • SID • Users are often associated with registry entries
Description Field • Brief description • Sufficient information to evaluate significance • Can include spaces and special characters • Just no “|”s
Creating Timelines • Usually from an acquired image • Sources • Your system • http://www.cfreds.nist.gov/Hacking_Case.html • http://www.forensickb.com/2008/01/forensic-practical.html • Have to convert E01 format to dd – Use FTK imager • Requires • ActiveState Perl 5.+ • Sleuthkit
File Meta-DataDead Box • Use mmls to find partition • C:\case>mmls –t dos –i raw WinSP2.001 • Use fls to extract file metadata C:\case>fls –i raw –o 63 –f ntfs –r –p -m C:\ > bodyfile.txt • -m C:\ use C:\ as the mount point in the output • Extract relevant information from the bodyfile • Use Carvey’s Perl script C:\case>perl bodyfile.pl –f bodyfile.txt –s Server > events.txt • -s Server adds the server’s name to output
File Meta-DataLive System or Remotely Mounted • Open FTK Imager • Add image as an evidence item • Right click on evidence item • “Export Directory Listing” • .csv file in case folder
Clean up the .csv File • Change the root directory to C:\ • Make it pretty • Save it as a tab delimited .cvs file
Into Bodyfile Format • Have to use Carvey’sftkparse.pl script Perl c:\bin\Carvey\ftkparse.pl live-dir.csv > live-bodyfile.txt
Into TLN Format • Have to use Carvey’s bodyfile.pl paraser Perl C:\bin\carvey\bodyfile –f bodyfile.txt –s LapTop > live-events.txt
Registry Data • Registry key LastWrite times • Contains a time line of user/system activity • Some very useful tools • regtime.Pl • regripper
Add Registry Data to the Time Line • System config in formation • Devices that have been connected • WAPs that a laptop had been connected to • Files accessed (MRU lists)
Timeline Tools • RegTime • Parses key LastWrite times for all allocated keys within the specified hive file Regtime –r NTUSER.DAT –m HKCU/ -s Server –u User >> events.txt Regtime –r System –m HKLM/System/ -s Server >> events.txt
Regripper • Timeline tools • Using RegRipper’srip CLI utility • Get System name: C:\rip –r System –p compname • Parse UserAssist data: C:\rip –r NTUSER.DAT –p userassist_tln –s Server –u User >> events.txt Note: A number of plugins output in TLN format
Event Logs into the TimeLine • Windows XP Event Logs readily parsed • Get • AppEvent.evt, SysEvent.evt, SecEvent.ect • Into the TimeLine • Evtparse –d <dir> >> events.txt • Vista and Win 7 • Much more info • Includes driver installations • USBs, etc. • C:\Windows\system32\winevt\Logs
Log Parser • Log Parser is a good tool to parse Windows Event Logs • Example: Logparser –i:evt –o:scv “elect RecordNumber,TO_UTCTIME(TimeGeneratde),EventID,SourceName,Strings from System” > d:\case\system.txt You can replace “System” with “d:\case\system.evtx” or “d:\case\.evtx” • Parse the output Evtxparsed \case\system.txt >> events.txt