Timeline Analysis

1
Timeline Analysis

• Geoff Black, EnCE, SnortCP
• geoff.black_at_guidancesoftware.com
• Senior Forensic Consultant
• Professional Services Division
• Guidance Software, Inc.

2
Usage Scenarios

• Intrusion mapping
• Spyware / Malware file dropping
• Suspect activity
• File activity
• Registry Keys
• Email times
• Web history

3
The Common (And Wrong) Way

• Many investigators do not conduct proper timeline
  analysis
• EnCase does not give the user an easy method to
  accomplish this
• Within Table View you can only add secondary sort
  columns
• These only sort when the first column has
  identical data
• NOT a unified linear timeline

4
The Built-in Alternative

• Timeline View gives a decent overview, but
  cumbersome - not at all user-friendly

5
Proper Method Unified Linear Timeline

• Considers each date field individually
• Not locked into sorting a single field
• Does not base a second sort on the value of the
  first field
• Completely linear across all date fields
• End result is that an entry can be listed
  multiple times in the timeline, once for each
  date field

6
Hands-On Lab

• Check your Time Settings
• Lab Machine TZ
• Evidence TZ
• Locate an interesting event
• Select a date/time range around the event
• Run Timeline Report EnScript examine results
• Use Selected Files to narrow your search if
  necessary

7
Timeline Report Download

• http//www.geoffblack.com/forensics/

8
Detecting Timestamp Anomalies
MFT Entry Record Structure

• MFT stores two sets of dates
• Standard Information Attribute (EnCase, Windows)
• File Name Attribute
• Anti-forensics tools modify timestamps
• TimeStomp / FileTouch / FileTouchdotNET
• Popular theories for detection

9
Detecting Timestamp Anomalies

• Popular Theory TimeStomp uses low precision
  timestamping
• Problem So does just about every major
  installation routine

10
Detecting Timestamp Anomalies

• Popular Theory The FileName Attribute times will
  always be earlier than the Standard Information
  Attribute times in a normal timestamp
• Problem On standard well-used drives, expect up
  to 50 of entries where the FN timestamp is more
  recent than the SIA timestamp without any manual
  alterations

11
Detecting Timestamp Anomalies

• Detection is not reliable through attribute
  comparison or timestamp precision
• The only currently reliable method is to identify
  a known tool on the system

12
Virtual Private Computing - MojoPac
13
Timeline Analysis

• Geoff Black, EnCE, SnortCP
• geoff.black_at_guidancesoftware.com
• Senior Forensic Consultant
• Professional Services Division
• Guidance Software, Inc.