Mastering the Super Timeline - SANS Information Security … · Mastering the Super Timeline log2timeline style ... cef Output timeline using the ArcSight Commen Event Format

Mastering the Super Timeline log2timeline style

Kristinn Guðjónsson The 2010 European Community Digital Forensics and Incident Response Summit

London 2010

SANS EU Forensics and Incident Response Summit

Who am I? •  M.Sc. in computer and communication network engineering •  Worked in forensics and information security since 2005 •  SANS certifications: GCIA, GCIH, GCFA gold •  SANS mentor •  Author of log2timeline •  Blog author at the SANS forensics blog •  Author of the blog: blog.kiddaland.net


Why Timeline Analysis •  Find out when events took place •  Temporal proximity •  Often a great place to start investigations ▫  Can quickly lead you to evidence that needs further analysis ▫  Send timeline to senior analyst during acquisition


Traditional Timeline Analysis •  Focused around extracted timestamp from filesystems •  Different meaning depending on the filesystem •  Has been done for years ▫  Needs to be extended...


Traditional Timeline Analysis

Date Type Meta File Name

Wed Jul 09 2008 01:47:16 ...b 391-128-1 C:/Users/Reed Richards/NTUSER.DAT

Thu Jun 18 2009 06:17:11 mac. 391-128-1 C:/Users/Reed Richards/NTUSER.DAT

Fri Jun 19 2009 05:16:57 m.c. 46477-128-4 C:/Windows/System32/winevt/Logs/Windows/System32/winevt/Logs/System.evtx

Fri Jun 19 2009 05:16:57 m.c. 46478-128-4 C:/Windows/System32/winevt/Logs/Windows/System32/winevt/Logs/Application.evtx

What does this tell you?


Traditional Timeline Analysis •  Can be extremly valuable ▫  Temporal proximity

•  Other problems ▫  Easy to manipulate (timestomp anyone?) ▫  Sensitive to changes ▫  Not always updated

•  Are there other solutions?


Solutions? •  Extend the timeline? ▫  Include information from within log files ▫  Difficult to alter every source of timestamp

•  Visually represent the timeline? ▫  Helps in some situations

•  Make a magic tool to analyse the timeline ▫  The Forensicator Pro has this ability already


Methods to Extend Timeline Analysis •  Manually adding timestamps to timeline ▫  Not really efficient ▫  Need to know the location and format

•  Using specially crafted tools to extract timestamps ▫  Requires knowledge of multiple tools ▫  Need to know the location of each file


Problems With Manual Labour •  It’s not all a walk in the park ▫  Different files use different methods to store timestamps ▫  Files are stored using different formats ▫  Timestamps are stored in varying time zones.

•  Analyst must recognise all these subtle differences.


Enter log2timeline •  log2timeline is written to address this problem ▫  A framework designed for timeline analysis

•  What does it do? ▫  Extracts timestamps from various files ▫  Outputs them in various formats

•  What platform does it run on? ▫  Written to be used on a Mac OS X or Linux ▫  Needs slight changes to be ported to Windows

•  Summary ▫  log2timeline is written to create a super timeline ▫  …and it does it automatically…


Modules •  Consists of four main parts ▫  Front-end. ▫  Input module (aka a parser). ▫  Output module ▫  Shared libraries (between modules)

•  Each part independent ▫  Makes adding new functionality easy


Front-ends •  Currently there are three available front-ends ▫  log2timeline: CLI version of the tool ▫  glog2timeline: GUI version of the tool ▫  timescanner: Recursive scanner


Currently supported input modules Module Description Module Description

apache2_access Apache 2 access log apache2_error Apache 2 error log

chrome Chrome browser history oxml Open XML metadata (.docx,pptx,...)

evt Windows Event log pcap PCAP network dump files

evtx Windows Event log (Vista+) pdf PDF metadata

exif EXIF metadata prefetch Prefetch/Superfetch

ff_bookmark Bookmarks, Firefox 2 recycler Recycle bin (XP/Vista+)

firefox2 Firefox 2 browser history restore Restore points

firefox3 Firefox 3 browser history, bookmarks setupapi SetupAPI log file

iehistory IE browser history sol Flash cookies (Local Shared Object)

iis IIS log files squid Squid access log files

isatxt ISA server firewall text export tln TLN body file

mactime Mactime bodyfile userassist Various registry key from NTUSER.DAT

mcafee McAfee anti-virus log win_link Windows shortcut file

opera Opera browser history xpfirewall Firewall log files

syslog Syslog messages


Output modules Module Description

beedocs Output timeline using tab-delimited file to import into BeeDocs

cef Output timeline using the ArcSight Commen Event Format (CEF)

cftl Output timeline in a XML format that can be read by CFTL

csv Output timeline using CSV (Comma Separated Value) file

mactime Output timeline using mactime format

mactime_l Output timeline using legacy version of the mactime format (version 1.x and 2.x)

simile Output timeline in a XML format that can be read by a SIMILE widget

sqlite Output timeline into a SQLite database

tln Output timeline using H. Carvey's TLN format

tlnx Output timeline using H. Carvey's TLN format in XML


Version 0.51 •  Version 0.51 will be released shortly •  Changes introduced ▫  New input modules

  Linux log file support   More information extracted from registry   More Windows logs included

▫  Normal bug fixes •  Changes introduced in version 0.50 ▫  Possible to select input modules in timescanner ▫  Vast speed improvements in timescanner ▫  New output modules

•  Older versions too dependent on mactime ▫  mactime bodyfile is still the default output format


Structure •  Front-end controls the flow •  Input modules do most of the work ▫  Verifies if it is capable of parsing the artifact ▫  Parses it if possible and creates the timestamp object

•  Output modules arrange the output and print it ▫  Uses the timestamp object to create the output


Timestamp Object •  Core element of the tool •  Contains all the information about each timestamp •  The only object that is passed along different modules •  Implemented as a Perl hash

time index value type legacy

desc short source sourcetype version [notes] extra

[filename] [host] [user] [...]


Example: OpenXML •  How does log2timeline parse OpenXML files? •  OpenXML file (docx, pptx,...) is a ZIP file ▫  Contains XML files in a prefedined structure ▫  Example structure of a Word file:

[Content_Types].xml _rels/

.rels docProps/

app.xml core.xml thumbnail.jpeg

word/ _rels/ document.xml.rels document.xml settings.xml …


First Step - Verification •  ZIP files have a magic value of: 0x04034b50 •  ZIP files have a file name embedded in the header •  log2timeline verifies magic value and checks the file name ▫  Should be [Content_Types].xml

0000000: 504b 0304 1400 0600 0800 0000 2100 d201 PK..........!... 0000010: 98f4 8801 0000 d905 0000 1300 0802 5b43 ..............[C 0000020: 6f6e 7465 6e74 5f54 7970 6573 5d2e 786d ontent_Types].xm 0000030: 6c20 a204 0228 a000 0200 0000 0000 0000 l ...(.......... 0000040: 0000 0000 0000 0000 0000 0000 0000 0000 ................


Second Step: Preparation •  Extracts the file _rels/.rels from the archive ▫  Contains information about the structure ▫  Reads all docProps values

… <Relationship Id="rId4" Type="http://schemas.openxmlformats.org/officeDocument/

2006/relationships/extended-properties" Target="docProps/app.xml"/> <Relationship Id="rId3" Type="http://schemas.openxmlformats.org/package/2006/

relationships/metadata/core-properties" Target="docProps/core.xml"/> …


Third Step: Parsing •  Goes through each XML file that contains metadata (docProps) ▫  Timestamps are stored in a ISO-8601 format ▫  Checks if any of the value is in ISO-8601 format

  Creates a timestamp object containing information extracted

<?xml version="1.0" encoding="UTF-8" standalone="yes"?> … <dc:title>My doc</dc:title> <dc:subject>I’m doing word..</dc:subject> … <cp:lastModifiedBy></cp:lastModifiedBy> <cp:revision>1</cp:revision> <dcterms:created xsi:type="dcterms:W3CDTF”>2009-09-29T13:53:00Z</dcterms:created> <dcterms:modified xsi:type="dcterms:W3CDTF”>2009-09-29T13:59:00Z</dcterms:modified> </cp:coreProperties>


Fourth step: Output •  The output module prints the line

1263877260|OXML|-|Rob|(Open XML Metadata) [created] (Keynotes and Expert Briefings for Web Page) - 2010 EU - Incident Response and Digital Forensic Summit - - Application: Microsoft Office Word - Company: SANS Institute - AppVersion: 12.0000|EST5EDT|File:Keynotes and Briefings Document for Web.docx inode:1536061

time timezone type macb sourcetype source desc filename

Tue Jan 19 2010 00:01:00 EST5EDT created MACB Open XML Metadata OXML

(Keynotes and Expert Briefings for Web Page) - 2010 EU - Incident Response and Digital Forensic Summit - - Application: Microsoft Office Word - Company: SANS Institute - AppVersion: 12.0000,Rob

Keynotes and Briefings Document for Web.docx


How to install? •  Three possibilities ▫  Compile from sources ▫  Use repositories ▫  Use distros with the tool pre-installed

•  Repository is the preferred method ▫  Tool gets updated along with system updates

•  Available repositories ▫  For Debian/Ubuntu (apt-get) ▫  For Fedora (yum) ▫  For BSD systems (port install), including Mac OS X (use

macports)


timescanner vs. log2timeline •  log2timeline ▫  Parses and extract timestamps from a single file

•  timescanner ▫  Recursive scanner

  Recursively go through a mount point to extract all available timestamps

▫  Possible to either select all, or a list of modules


The “Magic” Behind Timescanner •  Loads all selected input modules in a hash •  Goes recursively through a directory that is passed to the tool ▫  Verifies the file/directory against selected input modules ▫  If the verification succeeds the file is parsed and the next file/

directory is examined


timescanner •  Default behaviour to use all input modules •  Possible to limit the number of modules used (-f parameter)

linux apache2_access, apache2_error, pcap, syslog,

web chrome, firefox3, firefox2, ff_bookmark, opera, iehistory, iis,

winvista chrome, evt, exif, ff_bookmark, firefox3, iehistory, iis, mcafee, opera, oxml, pdf, prefetch, recycler, restore, sol, userassist, win_link, xpfirewall,

winxp chrome, evt, exif, ff_bookmark, firefox3, iehistory, iis, mcafee, opera, oxml, pdf, prefetch, recycler, restore, setupapi, sol, userassist, win_link, xpfirewall,

•  Example ▫  timescanner –z local –d /mnt/suspect –f web ▫  timescanner –z local –d /mnt/suspect –f chrome,firefox2


Creating a Super Timeline •  Mount the image file (read-only)

sudo mount -t ntfs-3g -o ro,loop,show_sys_files /cases/vista/vista_ntfs.dd /mnt/windows_vista_mount

•  Run timescanner against it timescanner -z EST5EDT –f winvista -d /mnt/windows_vista_mount -w /cases/vista/bodyfile –log /cases/vista/timescanner.log

•  Run fls to get filesystem timestamps fls –r –m C: /images/windowsforensics/vista_ntfs.dd >> /cases/vista/bodyfile

•  Run any other tool capable of extracting timestamps


Output Methods •  Ten different output modules ▫  Three for timeline visualization ▫  Six ASCII or XML output methods ▫  One database output


Visualization •  Three types of visualization modules ▫  SIMILE ▫  CFTL ▫  BeeDocs

•  Possible to use GnuPlot and scripts as well


SIMILE Widget

•  SIMILE widget is essentially a web widget for visualizing temporal data •  log2timeline can export both a XML and JSON output module for SIMILE

widgets ▫  A HTML file has to be created to use and display the data though


CyberForensics TimeLab (CFTL) •  Created by Jens Olsson and

Martin Boldt •  Not yet released, a beta version

and a research paper •  Reads an image file and extracts

all timestamps using plugins •  Uses XML to store and read data •  log2timeline can output using a

XML file that CFTL can read


CyberForensics TimeLab (CFTL)


BeeDocs Visualization

•  Tool to visually represent timelines in 3D among other

•  Written solely for Mac OS X •  Can read a tab delimited file •  log2timeline can output in a

file that can be opened by BeeDocs


BeeDocs


GnuPlot and Scripts •  Endless possibilites •  Custom scripts ▫  Requiring scripting

skills •  Example of a web

attack ▫  Started with a scan,

thus creating several log entries


Visualization •  Pros ▫  Visualization is often easier to understand ▫  Easier to explain to non-technical people ▫  Great in reports

•  Cons ▫  Often extremly slow when dealing with many events ▫  Often difficult to find events of interest

•  Conclusions ▫  Better to analyse using different methods ▫  Suits some investigations better than others ▫  Use visualization for reports ▫  Include limited events in the visual timeline


Good Ol’ Spreadsheet •  Propably the most common method •  Two possibilities ▫  Use mactime output and then use mactime to convert to CSV ▫  Use the CSV output module (not sorted)

•  Easy to create filters and hide fields

log2timeline -z EST5EDT -o csv -w /tmp/test.csv -f userassist NTUSER.DAT log2timeline -z EST5EDT -o csv -w /tmp/test.csv -f iehistory Local\ Settings/History/

History.IE5/index.dat


Other Methods •  Mandiant Highlighter •  Combination of vim/less/grep using a CSV file •  Or use what ever methods you can think of


Review

Date Type Meta File Name

Wed Jul 09 2008 01:47:16 ...b 391-128-1 C:/Users/Reed Richards/NTUSER.DAT

Thu Jun 18 2009 06:17:11 mac. 391-128-1 C:/Users/Reed Richards/NTUSER.DAT

Fri Jun 19 2009 05:16:57 m.c. 46477-128-4 C:/Windows/System32/winevt/Logs/Windows/System32/winevt/Logs/System.evtx

Fri Jun 19 2009 05:16:57 m.c. 46478-128-4 C:/Windows/System32/winevt/Logs/Windows/System32/winevt/Logs/Application.evtx

Remember this timeline from before?


Now We Have...

• Doesn’t this tell you a whole lot more?

Date Time Description

Sat Jun 13 2009 17:26:00 [System] (Event Logged) <Richards-Laptop> System/Service Control Manager ID [7036] : EventData/Data -> stopped (file: Windows/System32/winevt/Logs/System.evtx)

Sat Jun 13 2009 17:28:36 [NTUSER UserAssist key] (LastWritten) UEME_RUNPIDL [Count: 10] (file: Users/Reed Richards/NTUSER.DAT)

Sat Jun 13 2009 17:28:36 [NTUSER UserAssist key] (LastWritten) UEME_RUNPIDL:%csidl23%/iTunes/iTunes.lnk [Count: 7] (file: Users/Reed Richards/NTUSER.DAT)

Sat Jun 13 2009 17:28:37 [NTUSER UserAssist key] (LastWritten) UEME_RUNPATH:[iTunes] VIRTUAL [Count: 1] (file: /Users/Reed Richards/NTUSER.DAT)

Sat Jun 13 2009 17:33:02 [NTUSER MountPoints2 key] (Drive last mounted) Volume mounted - name: {a455ad5a-5839-11de-91f3-000000000000} (file: Users/Reed Richards/NTUSER.DAT)

Sat Jun 13 2009 17:33:12 [NTUSER UserAssist key] (LastWritten) UEME_RUNPATH:C:/Windows/system32/rundll32.exe [Count: 3] (file: Users/Reed Richards/NTUSER.DAT)

Sat Jun 13 2009 17:34:42 [System] (Event Logged) <Richards-Laptop> System/Service Control Manager ID [7036] :EventData/Data -> stopped (file: Windows/System32/winevt/Logs/System.evtx)

Sat Jun 13 2009 17:36:45

[System] (Event Logged) <Richards-Laptop> System/volsnap ID [33] :EventData/Data -> [0] /Device/HarddiskVolumeShadowCopy2[1] C:- EventData/Binary -> 00000000020030000000000021000640020000000000000001000000000000000000000000000000 (file: Windows/System32/winevt/Logs/System.evtx)

Sat Jun 13 2009 17:41:03

[Application] (Event Logged) <Richards-Laptop> Application/Application Hang ID [1002] :EventData/Data -> [0] iTunes.exe[1] 8.2.0.23[2] 888[3] 01c9ec6d5c702f60[4] 391- EventData/Binary -> 55006E006B006E006F0077006E0000000000 (file: Windows/System32/winevt/Logs/Application.evtx)

Sat Jun 13 2009 17:41:20 [Application] (Event Logged) <Richards-Laptop> Application/Desktop Window Manager ID [9009] :EventData/Data -> [0] 0x40010004- EventData/Binary -> empty (file: Windows/System32/winevt/Logs/Application.evtx)

Sat Jun 13 2009 17:41:21 [Application] (Event Logged) <Richards-Laptop> Application/Wlclntfy ID [6000] :EventData/Data -> [0] SessionEnv- EventData/Binary -> D9060000 (file: Windows/System32/winevt/Logs/Application.evtx)

Sat Jun 13 2009 17:41:21

[Application] (Event Logged) <Richards-Laptop> Application/profsvc ID [1530] :EventData/Data -> 3 user registry handles leaked from /Registry/User/S-1-5-21-865758690-3576269959-3781552731-1000:Process 836 (/Device/HarddiskVolume1/Windows/System32/svchost.exe) has opened ….Policies/Microsoft/Windows/CurrentVersion/Internet Settings (file: Windows/System32/winevt/Logs/Application.evtx)

Sat Jun 13 2009 17:41:25

[Application] (Event Logged) <Richards-Laptop> Application/profsvc ID [1530] :EventData/Data -> 1 user registry handles leaked from /Registry/User/S-1-5-21-865758690-3576269959-3781552731-1000_Classes:Process 836 (/Device/HarddiskVolume1/Windows/System32/svchost.exe) has opened key /REGISTRY/USER/S-1-5-21-865758690-3576269959-3781552731-1000_CLASSES (file: Windows/System32/winevt/Logs/Application.evtx)


Future of log2timeline •  New input modules ▫  Several sources that are not included

•  Modify the source code so it can be used on Windows ▫  Not that much that needs to be changed

•  Create a pretty GUI ▫  For those who enjoy point-and-click

•  Add pre-processing ▫  Gather information to use in input modules

•  Implement a test suite for validation ▫  To verify that it is working properly

•  Support for image files ▫  Remove the mandatory “mount the image file first” condition


Future of Super Timeline •  Biggest problem is number of events ▫  Relevant entries are few needles in a large haystack

•  Differences in cases require manual inspection ▫  No automatic tool yet to analyse timelines

•  Need to find a way to reduce the dataset in a intuitive manner •  Possibilities ▫  Use OSSEC to initially go through the timeline to find some anomalies? ▫  Use Splunk to correlate data with other sources ▫  Create a new tool that can easily filter out irrelevant entries


Summary •  Timelines should be extended beyond simple filesystem timestamps •  Super timelines have the capability to shorten investigation time •  Traditional filesystem timeline is very volatile and degrades quickly

with time ▫  The super timeline is more resilient to anti-forensics and degradation

•  Super timelines can be easily created using log2timeline •  log2timeline is an open-source software ▫  Developed in my own free time ▫  I like to look at it as a donation-ware


Kristinn Gudjonsson [email protected]

Documents

Mastering the Super Timeline - SANS Information Security … · Mastering the Super Timeline log2timeline style ... cef Output timeline using the ArcSight Commen Event Format