Download
timeline analysis n.
Skip this Video
Loading SlideShow in 5 Seconds..
Timeline Analysis PowerPoint Presentation
Download Presentation
Timeline Analysis

Timeline Analysis

290 Views Download Presentation
Download Presentation

Timeline Analysis

- - - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

  1. Timeline Analysis Harlan Carvey: Windows Forensic Analysis Toolkit, Chapter 7

  2. Time Line Analysis • Lists all system events, files, browser activities in chronological order • Multiple data sources • Multiple systems • Becoming very important in forensic analysis • Approaches • Automatically gather everything • Kristinn Gudjonsson : log2timeline • Pick and choose • Harlan Carvey: This presentation

  3. Carvey’s Approach • Command line driven • Multiple tools • Guided by the objectives of the investigation • Looking for system files with date/time info • Biggest is in the MFT • $STANDARD_INFORMATION attribute • Event logs • Registry – every entry has time associated with it • Browser logs

  4. Get the Right Tools • Windows Forensic Analysis Toolkit • Harlan Carvey’s book • Emphasis is on Windows 7 • Get his tools for the book here • http://code.google.com/p/winforensicaanalysis/downloads/list • Sleuthkit • Fls • FTK Imager

  5. Temporal Proximity • The more current the time info is the more accurate it may be • Because times may be altered multiple references to a particular time will increase the confidence in that time

  6. TLN Format • Pipe “|” delimited text file • 5 fields • Time | Source | System | User | Description • Easy to parse • The user and description fields are relatively free form

  7. Time Field • 32-bit Unix time format • UTC • Granularity to the second • Not sufficient for time stomping analysis base of MFT times

  8. Time Formats • 64-bit FILETIME (UTC) • Number of 100 nanosecond intervals since 1/1/1601 • 32-bit Unix time format (UTC) • Number of seconds since 1/1/1970 • String based format (local time) • 01/01/2010 2:42 PM • SYSTEMTIME (local time) • Used some registry entries and some XP times

  9. Time FormatMost often used in Windows typedef struct _FILETIME { DWORD dwLowDateTime; DWORD dwHighDateTime; } FILETIME, *PFILETIME; BOOL WINAPI FileTimeToSystemTime( _In_   const FILETIME *lpFileTime, _Out_  LPSYSTEMTIME lpSystemTime ); typedef struct _SYSTEMTIME { WORD wYear; WORD wMonth; WORD wDayOfWeek; WORD wDay; WORD wHour; WORD wMinute; WORD wSecond; WORD wMilliseconds; } SYSTEMTIME, *PSYSTEMTIME;

  10. Source Field • FILE – file system create dates • EVT – XP, 2000, 2003 event logs • EVTX – Vista and 7 event logs • REG – registry dates • Etc.

  11. System Field • System name • Host name • IP Address • MAC Address

  12. User Field • User associated with the event • SID • Users are often associated with registry entries

  13. Description Field • Brief description • Sufficient information to evaluate significance • Can include spaces and special characters • Just no “|”s

  14. Creating Timelines • Usually from an acquired image • Sources • Your system • http://www.cfreds.nist.gov/Hacking_Case.html • http://www.forensickb.com/2008/01/forensic-practical.html • Have to convert E01 format to dd – Use FTK imager • Requires • ActiveState Perl 5.+ • Sleuthkit

  15. File Meta-DataDead Box • Use mmls to find partition • C:\case>mmls –t dos –i raw WinSP2.001 • Use fls to extract file metadata C:\case>fls –i raw –o 63 –f ntfs –r –p -m C:\ > bodyfile.txt • -m C:\ use C:\ as the mount point in the output • Extract relevant information from the bodyfile • Use Carvey’s Perl script C:\case>perl bodyfile.pl –f bodyfile.txt –s Server > events.txt • -s Server adds the server’s name to output

  16. File Meta-DataLive System or Remotely Mounted • Open FTK Imager • Add image as an evidence item • Right click on evidence item • “Export Directory Listing” • .csv file in case folder

  17. The Directory Listing

  18. Clean up the .csv File • Change the root directory to C:\ • Make it pretty • Save it as a tab delimited .cvs file

  19. Into Bodyfile Format • Have to use Carvey’sftkparse.pl script Perl c:\bin\Carvey\ftkparse.pl live-dir.csv > live-bodyfile.txt

  20. Into TLN Format • Have to use Carvey’s bodyfile.pl paraser Perl C:\bin\carvey\bodyfile –f bodyfile.txt –s LapTop > live-events.txt

  21. Registry Data • Registry key LastWrite times • Contains a time line of user/system activity • Some very useful tools • regtime.Pl • regripper

  22. Add Registry Data to the Time Line • System config in formation • Devices that have been connected • WAPs that a laptop had been connected to • Files accessed (MRU lists)

  23. Timeline Tools • RegTime • Parses key LastWrite times for all allocated keys within the specified hive file Regtime –r NTUSER.DAT –m HKCU/ -s Server –u User >> events.txt Regtime –r System –m HKLM/System/ -s Server >> events.txt

  24. Regripper • Timeline tools • Using RegRipper’srip CLI utility • Get System name: C:\rip –r System –p compname • Parse UserAssist data: C:\rip –r NTUSER.DAT –p userassist_tln –s Server –u User >> events.txt Note: A number of plugins output in TLN format

  25. Event Logs into the TimeLine • Windows XP Event Logs readily parsed • Get • AppEvent.evt, SysEvent.evt, SecEvent.ect • Into the TimeLine • Evtparse –d <dir> >> events.txt • Vista and Win 7 • Much more info • Includes driver installations • USBs, etc. • C:\Windows\system32\winevt\Logs

  26. Log Parser • Log Parser is a good tool to parse Windows Event Logs • Example: Logparser –i:evt –o:scv “elect RecordNumber,TO_UTCTIME(TimeGeneratde),EventID,SourceName,Strings from System” > d:\case\system.txt You can replace “System” with “d:\case\system.evtx” or “d:\case\.evtx” • Parse the output Evtxparsed \case\system.txt >> events.txt