Slide 1

Download Report

Transcript Slide 1 

Timeline Analysis
Harlan Carvey: Windows Forensic
Analysis Toolkit, Chapter 7
Time Line Analysis
• Lists all system events, files, browser activities
in chronological order
• Multiple data sources
• Multiple systems
• Becoming very important in forensic analysis
• Approaches
• Automatically gather everything
– Kristinn Gudjonsson : log2timeline
• Pick and choose
– Harlan Carvey: This presentation
Carvey’s Approach
•
•
•
•
Command line driven
Multiple tools
Guided by the objectives of the investigation
Looking for system files with date/time info
• Biggest is in the MFT
– $STANDARD_INFORMATION attribute
• Event logs
• Registry – every entry has time associated with it
• Browser logs
Get the Right Tools
• Windows Forensic Analysis Toolkit
• Harlan Carvey’s book
• Emphasis is on Windows 7
• Get his tools for the book here
• http://code.google.com/p/winforensicaanalysis/downloads/list
• Sleuthkit
• Fls
• FTK Imager
Temporal Proximity
• The more current the time info is the more
accurate it may be
• Because times may be altered multiple
references to a particular time will increase
the confidence in that time
TLN Format
• Pipe “|” delimited text file
• 5 fields
• Time | Source | System | User | Description
• Easy to parse
• The user and description fields are relatively
free form
Time Field
•
•
•
•
32-bit Unix time format
UTC
Granularity to the second
Not sufficient for time stomping analysis base
of MFT times
Time Formats
• 64-bit FILETIME (UTC)
• Number of 100 nanosecond intervals since 1/1/1601
• 32-bit Unix time format (UTC)
• Number of seconds since 1/1/1970
• String based format (local time)
• 01/01/2010 2:42 PM
• SYSTEMTIME (local time)
• Used some registry entries and some XP times
Time Format
Most often used in Windows
typedef struct _FILETIME {
DWORD dwLowDateTime;
DWORD dwHighDateTime; } FILETIME, *PFILETIME;
BOOL WINAPI FileTimeToSystemTime(
_In_ const FILETIME *lpFileTime,
_Out_ LPSYSTEMTIME lpSystemTime );
typedef struct _SYSTEMTIME {
WORD wYear;
WORD wMonth;
WORD wDayOfWeek;
WORD wDay;
WORD wHour;
WORD wMinute;
WORD wSecond;
WORD wMilliseconds; } SYSTEMTIME, *PSYSTEMTIME;
Source Field
•
•
•
•
•
FILE – file system create dates
EVT – XP, 2000, 2003 event logs
EVTX – Vista and 7 event logs
REG – registry dates
Etc.
System Field
•
•
•
•
System name
Host name
IP Address
MAC Address
User Field
• User associated with the event
• SID
• Users are often associated with registry
entries
Description Field
•
•
•
•
Brief description
Sufficient information to evaluate significance
Can include spaces and special characters
Just no “|”s
Creating Timelines
• Usually from an acquired image
• Sources
• Your system
• http://www.cfreds.nist.gov/Hacking_Case.html
• http://www.forensickb.com/2008/01/forensicpractical.html
– Have to convert E01 format to dd – Use FTK imager
• Requires
• ActiveState Perl 5.+
• Sleuthkit
File Meta-Data
Dead Box
• Use mmls to find partition
• C:\case>mmls –t dos –i raw WinSP2.001
• Use fls to extract file metadata
C:\case>fls –i raw –o 63 –f ntfs –r –p -m C:\ > bodyfile.txt
• -m C:\ use C:\ as the mount point in the output
• Extract relevant information from the bodyfile
• Use Carvey’s Perl script
C:\case>perl bodyfile.pl –f bodyfile.txt –s Server > events.txt
• -s Server adds the server’s name to output
File Meta-Data
Live System or Remotely Mounted
• Open FTK Imager
• Add image as an evidence item
• Right click on evidence item
• “Export Directory Listing”
• .csv file in case folder
The Directory Listing
Clean up the .csv File
• Change the root directory to C:\
• Make it pretty
• Save it as a tab delimited .cvs file
Into Bodyfile Format
• Have to use Carvey’s ftkparse.pl script
Perl c:\bin\Carvey\ftkparse.pl live-dir.csv > livebodyfile.txt
Into TLN Format
• Have to use Carvey’s bodyfile.pl paraser
Perl C:\bin\carvey\bodyfile –f bodyfile.txt –s LapTop >
live-events.txt
Registry Data
• Registry key LastWrite times
• Contains a time line of user/system activity
• Some very useful tools
• regtime.Pl
• regripper
Add Registry Data to the Time Line
•
•
•
•
System config in formation
Devices that have been connected
WAPs that a laptop had been connected to
Files accessed (MRU lists)
Timeline Tools
• RegTime
• Parses key LastWrite times for all allocated keys within
the specified hive file
Regtime –r NTUSER.DAT –m HKCU/ -s Server –u User >>
events.txt
Regtime –r System –m HKLM/System/ -s Server >> events.txt
Regripper
• Timeline tools
• Using RegRipper’s rip CLI utility
• Get System name:
C:\rip –r System –p compname
• Parse UserAssist data:
C:\rip –r NTUSER.DAT –p userassist_tln –s Server
–u User >> events.txt
Note: A number of plugins output in TLN format
Event Logs into the TimeLine
• Windows XP Event Logs readily parsed
• Get
• AppEvent.evt, SysEvent.evt, SecEvent.ect
– Into the TimeLine
• Evtparse –d <dir> >> events.txt
• Vista and Win 7
• Much more info
• Includes driver installations
– USBs, etc.
• C:\Windows\system32\winevt\Logs
Log Parser
• Log Parser is a good tool to parse Windows
Event Logs
• Example:
Logparser –i:evt –o:scv “elect
RecordNumber,TO_UTCTIME(TimeGeneratde),EventID,Sou
rceName,Strings from System” > d:\case\system.txt
You can replace “System” with “d:\case\system.evtx” or
“d:\case\.evtx”
• Parse the output
Evtxparsed \case\system.txt >> events.txt