Title: Timeline%20Analysis
1Timeline Analysis
- Harlan Carvey Windows Forensic Analysis Toolkit,
Chapter 7
2Time Line Analysis
- Lists all system events, files, browser
activities in chronological order - Multiple data sources
- Multiple systems
- Becoming very important in forensic analysis
- Approaches
- Automatically gather everything
- Kristinn Gudjonsson log2timeline
- Pick and choose
- Harlan Carvey This presentation
3Carveys Approach
- Command line driven
- Multiple tools
- Guided by the objectives of the investigation
- Looking for system files with date/time info
- Biggest is in the MFT
- STANDARD_INFORMATION attribute
- Event logs
- Registry every entry has time associated with
it - Browser logs
4Get the Right Tools
- Windows Forensic Analysis Toolkit
- Harlan Carveys book
- Emphasis is on Windows 7
- Get his tools for the book here
- http//code.google.com/p/winforensicaanalysis/down
loads/list - Sleuthkit
- Fls
- FTK Imager
5(No Transcript)
6Temporal Proximity
- The more current the time info is the more
accurate it may be - Because times may be altered multiple references
to a particular time will increase the confidence
in that time
7TLN Format
- Pipe delimited text file
- 5 fields
- Time Source System User Description
- Easy to parse
- The user and description fields are relatively
free form
8Time Field
- 32-bit Unix time format
- UTC
- Granularity to the second
- Not sufficient for time stomping analysis base of
MFT times
9Time Formats
- 64-bit FILETIME (UTC)
- Number of 100 nanosecond intervals since 1/1/1601
- 32-bit Unix time format (UTC)
- Number of seconds since 1/1/1970
- String based format (local time)
- 01/01/2010 242 PM
- SYSTEMTIME (local time)
- Used some registry entries and some XP times
10Time FormatMost often used in Windows
typedef struct _FILETIME DWORD
dwLowDateTime DWORD dwHighDateTime
FILETIME, PFILETIME
BOOL WINAPI FileTimeToSystemTime( _In_ const
FILETIME lpFileTime, _Out_ LPSYSTEMTIME
lpSystemTime )
typedef struct _SYSTEMTIME WORD wYear WORD
wMonth WORD wDayOfWeek WORD wDay WORD
wHour WORD wMinute WORD wSecond WORD
wMilliseconds SYSTEMTIME, PSYSTEMTIME
11Source Field
- FILE file system create dates
- EVT XP, 2000, 2003 event logs
- EVTX Vista and 7 event logs
- REG registry dates
- Etc.
12System Field
- System name
- Host name
- IP Address
- MAC Address
13User Field
- User associated with the event
- SID
- Users are often associated with registry entries
14Description Field
- Brief description
- Sufficient information to evaluate significance
- Can include spaces and special characters
- Just no s
15Creating Timelines
- Usually from an acquired image
- Sources
- Your system
- http//www.cfreds.nist.gov/Hacking_Case.html
- http//www.forensickb.com/2008/01/forensic-practic
al.html - Have to convert E01 format to dd Use FTK imager
- Requires
- ActiveState Perl 5.
- Sleuthkit
16File Meta-DataDead Box
- Use mmls to find partition
- C\casegtmmls t dos i raw WinSP2.001
- Use fls to extract file metadata
- C\casegtfls i raw o 63 f ntfs r p -m C\ gt
bodyfile.txt - -m C\ use C\ as the mount point in the output
- Extract relevant information from the bodyfile
- Use Carveys Perl script
- C\casegtperl bodyfile.pl f bodyfile.txt s
Server gt events.txt - -s Server adds the servers name to output
17File Meta-DataLive System or Remotely Mounted
- Open FTK Imager
- Add image as an evidence item
- Right click on evidence item
- Export Directory Listing
- .csv file in case folder
18The Directory Listing
19Clean up the .csv File
- Change the root directory to C\
- Make it pretty
- Save it as a tab delimited .cvs file
20Into Bodyfile Format
- Have to use Carveys ftkparse.pl script
- Perl c\bin\Carvey\ftkparse.pl live-dir.csv gt
live-bodyfile.txt
21Into TLN Format
- Have to use Carveys bodyfile.pl paraser
- Perl C\bin\carvey\bodyfile f bodyfile.txt s
LapTop gt live-events.txt
22Registry Data
- Registry key LastWrite times
- Contains a time line of user/system activity
- Some very useful tools
- regtime.Pl
- regripper
23Add Registry Data to the Time Line
- System config in formation
- Devices that have been connected
- WAPs that a laptop had been connected to
- Files accessed (MRU lists)
24Timeline Tools
- RegTime
- Parses key LastWrite times for all allocated keys
within the specified hive file - Regtime r NTUSER.DAT m HKCU/ -s Server u User
gtgt events.txt - Regtime r System m HKLM/System/ -s Server gtgt
events.txt
25Regripper
- Timeline tools
- Using RegRippers rip CLI utility
- Get System name
- C\rip r System p compname
- Parse UserAssist data
- C\rip r NTUSER.DAT p userassist_tln s
Server - u User gtgt events.txt
-
Note A number of plugins output in TLN format
26Event Logs into the TimeLine
- Windows XP Event Logs readily parsed
- Get
- AppEvent.evt, SysEvent.evt, SecEvent.ect
- Into the TimeLine
- Evtparse d ltdirgt gtgt events.txt
- Vista and Win 7
- Much more info
- Includes driver installations
- USBs, etc.
- C\Windows\system32\winevt\Logs
27Log Parser
- Log Parser is a good tool to parse Windows Event
Logs - Example
- Logparser ievt oscv elect RecordNumber,TO_UTC
TIME(TimeGeneratde),EventID,SourceName,Strings
from System gt d\case\system.txt - You can replace System with d\case\system.evtx
or d\case\.evtx - Parse the output
- Evtxparsed \case\system.txt gtgt events.txt