1 / 13

Timeline Analysis

Timeline Analysis. Geoff Black, EnCE, SnortCP Senior Forensic Consultant Professional Services Division Guidance Software, Inc. Usage Scenarios. Intrusion mapping Spyware / Malware file dropping Suspect activity File activity Registry Keys Email times Web history.

orenda
Download Presentation

Timeline Analysis

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Timeline Analysis Geoff Black, EnCE, SnortCP Senior Forensic Consultant Professional Services Division Guidance Software, Inc.

  2. Usage Scenarios • Intrusion mapping • Spyware / Malware file dropping • Suspect activity • File activity • Registry Keys • Email times • Web history

  3. The Common (And Wrong) Way • Many investigators do not conduct proper timeline analysis • EnCase does not give the user an easy method to accomplish this • Within Table View you can only add secondary sort columns • These only sort when the first column has identical data • NOT a unified linear timeline

  4. The Built-in Alternative • Timeline View gives a decent overview, but cumbersome - not at all user-friendly

  5. Proper Method : Unified Linear Timeline • Considers each date field individually • Not locked into sorting a single field • Does not base a second sort on the value of the first field • Completely linear across all date fields • End result is that an entry can be listed multiple times in the timeline, once for each date field

  6. Hands-On Lab • Check your Time Settings • Lab Machine TZ • Evidence TZ • Locate an interesting event • Select a date/time range around the event • Run Timeline Report EnScript & examine results • Use Selected Files to narrow your search if necessary

  7. Timeline Report Download • http://www.geoffblack.com/forensics/

  8. MFT Entry Header Standard InformationAttribute File NameAttribute Remainder ofRecord Detecting Timestamp Anomalies • MFT stores two sets of dates • Standard Information Attribute (EnCase, Windows) • File Name Attribute • Anti-forensics tools modify timestamps • TimeStomp / FileTouch / FileTouchdotNET • Popular theories for detection MFT Entry Record Structure

  9. Detecting Timestamp Anomalies • Popular Theory: TimeStomp uses low precision timestamping • Problem: So does just about every major installation routine

  10. Detecting Timestamp Anomalies • Popular Theory: The FileName Attribute times will always be earlier than the Standard Information Attribute times in a normal timestamp • Problem: On standard well-used drives, expect up to 50% of entries where the FN timestamp is more recent than the SIA timestamp without any manual alterations

  11. Detecting Timestamp Anomalies • Detection is not reliable through attribute comparison or timestamp precision • The only currently reliable method is to identify a known tool on the system

  12. Virtual Private Computing - MojoPac

  13. Timeline Analysis Geoff Black, EnCE, SnortCP Senior Forensic Consultant Professional Services Division Guidance Software, Inc.

More Related