Embed Size (px)
Citation preview
Timeline Analysis
Harlan Carvey: Windows Forensic Analysis Toolkit, Chapter 7
Time Line Analysis
• Lists all system events, files, browser activities in chronological order
• Multiple data sources• Multiple systems
• Becoming very important in forensic analysis• Approaches
• Automatically gather everything– Kristinn Gudjonsson : log2timeline
• Pick and choose– Harlan Carvey: This presentation
Carvey’s Approach
• Command line driven• Multiple tools• Guided by the objectives of the investigation• Looking for system files with date/time info
• Biggest is in the MFT– $STANDARD_INFORMATION attribute
• Event logs• Registry – every entry has time associated with it• Browser logs
Get the Right Tools
• Windows Forensic Analysis Toolkit• Harlan Carvey’s book• Emphasis is on Windows 7
• Get his tools for the book here• http://code.google.com/p/winforensicaanalysis/downloads/list
• Sleuthkit• Fls
• FTK Imager
Temporal Proximity
• The more current the time info is the more accurate it may be
• Because times may be altered multiple references to a particular time will increase the confidence in that time
TLN Format
• Pipe “|” delimited text file• 5 fields
• Time | Source | System | User | Description
• Easy to parse• The user and description fields are relatively
free form
Time Field
• 32-bit Unix time format• UTC• Granularity to the second• Not sufficient for time stomping analysis base
of MFT times
Time Formats
• 64-bit FILETIME (UTC)• Number of 100 nanosecond intervals since 1/1/1601
• 32-bit Unix time format (UTC)• Number of seconds since 1/1/1970
• String based format (local time)• 01/01/2010 2:42 PM
• SYSTEMTIME (local time)• Used some registry entries and some XP times
Time FormatMost often used in Windows
typedef struct _FILETIME { DWORD dwLowDateTime; DWORD dwHighDateTime; } FILETIME, *PFILETIME;
BOOL WINAPI FileTimeToSystemTime( _In_ const FILETIME *lpFileTime, _Out_ LPSYSTEMTIME lpSystemTime );
typedef struct _SYSTEMTIME { WORD wYear; WORD wMonth; WORD wDayOfWeek; WORD wDay; WORD wHour; WORD wMinute; WORD wSecond; WORD wMilliseconds; } SYSTEMTIME, *PSYSTEMTIME;
Source Field
• FILE – file system create dates• EVT – XP, 2000, 2003 event logs• EVTX – Vista and 7 event logs• REG – registry dates• Etc.
System Field
• System name• Host name• IP Address• MAC Address
User Field
• User associated with the event• SID• Users are often associated with registry
entries
Description Field
• Brief description• Sufficient information to evaluate significance• Can include spaces and special characters• Just no “|”s
Creating Timelines
• Usually from an acquired image• Sources
• Your system• http://www.cfreds.nist.gov/Hacking_Case.html• http://www.forensickb.com/2008/01/forensic-practical
.html– Have to convert E01 format to dd – Use FTK imager
• Requires• ActiveState Perl 5.+• Sleuthkit
File Meta-DataDead Box
• Use mmls to find partition• C:\case>mmls –t dos –i raw WinSP2.001
• Use fls to extract file metadataC:\case>fls –i raw –o 63 –f ntfs –r –p -m C:\ > bodyfile.txt
• -m C:\ use C:\ as the mount point in the output
• Extract relevant information from the bodyfile• Use Carvey’s Perl scriptC:\case>perl bodyfile.pl –f bodyfile.txt –s Server > events.txt
• -s Server adds the server’s name to output
File Meta-DataLive System or Remotely Mounted
• Open FTK Imager• Add image as an evidence item• Right click on evidence item
• “Export Directory Listing”• .csv file in case folder
The Directory Listing
Clean up the .csv File
• Change the root directory to C:\• Make it pretty• Save it as a tab delimited .cvs file
Into Bodyfile Format
• Have to use Carvey’s ftkparse.pl scriptPerl c:\bin\Carvey\ftkparse.pl live-dir.csv > live-bodyfile.txt
Into TLN Format
• Have to use Carvey’s bodyfile.pl paraserPerl C:\bin\carvey\bodyfile –f bodyfile.txt –s LapTop >
live-events.txt
Registry Data
• Registry key LastWrite times• Contains a time line of user/system activity• Some very useful tools
• regtime.Pl• regripper
Add Registry Data to the Time Line
• System config in formation• Devices that have been connected• WAPs that a laptop had been connected to• Files accessed (MRU lists)
Timeline Tools
• RegTime• Parses key LastWrite times for all allocated keys within
the specified hive file
Regtime –r NTUSER.DAT –m HKCU/ -s Server –u User >> events.txt
Regtime –r System –m HKLM/System/ -s Server >> events.txt
Regripper
• Timeline tools• Using RegRipper’s rip CLI utility
• Get System name:C:\rip –r System –p compname
• Parse UserAssist data:C:\rip –r NTUSER.DAT –p
userassist_tln –s Server
–u User >> events.txt
Note: A number of plugins output in TLN format
Event Logs into the TimeLine
• Windows XP Event Logs readily parsed• Get• AppEvent.evt, SysEvent.evt, SecEvent.ect
– Into the TimeLine• Evtparse –d <dir> >> events.txt
• Vista and Win 7• Much more info• Includes driver installations
– USBs, etc.• C:\Windows\system32\winevt\Logs
Log Parser
• Log Parser is a good tool to parse Windows Event Logs
• Example:Logparser –i:evt –o:scv “elect RecordNumber,TO_UTCTIME(TimeGeneratde),EventID,SourceName,Strings from System” > d:\case\system.txt
You can replace “System” with “d:\case\system.evtx” or “d:\case\.evtx”
• Parse the output Evtxparsed \case\system.txt >> events.txt
