Timeline%20Analysis

1
Timeline Analysis

• Harlan Carvey Windows Forensic Analysis Toolkit,
  Chapter 7

2
Time Line Analysis

• Lists all system events, files, browser
  activities in chronological order
• Multiple data sources
• Multiple systems
• Becoming very important in forensic analysis
• Approaches
• Automatically gather everything
• Kristinn Gudjonsson log2timeline
• Pick and choose
• Harlan Carvey This presentation

3
Carveys Approach

• Command line driven
• Multiple tools
• Guided by the objectives of the investigation
• Looking for system files with date/time info
• Biggest is in the MFT
• STANDARD_INFORMATION attribute
• Event logs
• Registry every entry has time associated with
  it
• Browser logs

4
Get the Right Tools

• Windows Forensic Analysis Toolkit
• Harlan Carveys book
• Emphasis is on Windows 7
• Get his tools for the book here
• http//code.google.com/p/winforensicaanalysis/down
  loads/list
• Sleuthkit
• Fls
• FTK Imager

5
(No Transcript)
6
Temporal Proximity

• The more current the time info is the more
  accurate it may be
• Because times may be altered multiple references
  to a particular time will increase the confidence
  in that time

7
TLN Format

• Pipe delimited text file
• 5 fields
• Time Source System User Description
• Easy to parse
• The user and description fields are relatively
  free form

8
Time Field

• 32-bit Unix time format
• UTC
• Granularity to the second
• Not sufficient for time stomping analysis base of
  MFT times

9
Time Formats

• 64-bit FILETIME (UTC)
• Number of 100 nanosecond intervals since 1/1/1601
• 32-bit Unix time format (UTC)
• Number of seconds since 1/1/1970
• String based format (local time)
• 01/01/2010 242 PM
• SYSTEMTIME (local time)
• Used some registry entries and some XP times

10
Time FormatMost often used in Windows
typedef struct _FILETIME DWORD
dwLowDateTime DWORD dwHighDateTime
FILETIME, PFILETIME
BOOL WINAPI FileTimeToSystemTime( _In_   const
FILETIME lpFileTime, _Out_  LPSYSTEMTIME
lpSystemTime )
typedef struct _SYSTEMTIME WORD wYear WORD
wMonth WORD wDayOfWeek WORD wDay WORD
wHour WORD wMinute WORD wSecond WORD
wMilliseconds SYSTEMTIME, PSYSTEMTIME
11
Source Field

• FILE file system create dates
• EVT XP, 2000, 2003 event logs
• EVTX Vista and 7 event logs
• REG registry dates
• Etc.

12
System Field

• System name
• Host name
• IP Address
• MAC Address

13
User Field

• User associated with the event
• SID
• Users are often associated with registry entries

14
Description Field

• Brief description
• Sufficient information to evaluate significance
• Can include spaces and special characters
• Just no s

15
Creating Timelines

• Usually from an acquired image
• Sources
• Your system
• http//www.cfreds.nist.gov/Hacking_Case.html
• http//www.forensickb.com/2008/01/forensic-practic
  al.html
• Have to convert E01 format to dd Use FTK imager
• Requires
• ActiveState Perl 5.
• Sleuthkit

16
File Meta-DataDead Box

• Use mmls to find partition
• C\casegtmmls t dos i raw WinSP2.001
• Use fls to extract file metadata
• C\casegtfls i raw o 63 f ntfs r p -m C\ gt
  bodyfile.txt
• -m C\ use C\ as the mount point in the output
• Extract relevant information from the bodyfile
• Use Carveys Perl script
• C\casegtperl bodyfile.pl f bodyfile.txt s
  Server gt events.txt
• -s Server adds the servers name to output

17
File Meta-DataLive System or Remotely Mounted

• Open FTK Imager
• Add image as an evidence item
• Right click on evidence item
• Export Directory Listing
• .csv file in case folder

18
The Directory Listing
19
Clean up the .csv File

• Change the root directory to C\
• Make it pretty
• Save it as a tab delimited .cvs file

20
Into Bodyfile Format

• Have to use Carveys ftkparse.pl script
• Perl c\bin\Carvey\ftkparse.pl live-dir.csv gt
  live-bodyfile.txt

21
Into TLN Format

• Have to use Carveys bodyfile.pl paraser
• Perl C\bin\carvey\bodyfile f bodyfile.txt s
  LapTop gt live-events.txt

22
Registry Data

• Registry key LastWrite times
• Contains a time line of user/system activity
• Some very useful tools
• regtime.Pl
• regripper

23
Add Registry Data to the Time Line

• System config in formation
• Devices that have been connected
• WAPs that a laptop had been connected to
• Files accessed (MRU lists)

24
Timeline Tools

• RegTime
• Parses key LastWrite times for all allocated keys
  within the specified hive file
• Regtime r NTUSER.DAT m HKCU/ -s Server u User
  gtgt events.txt
• Regtime r System m HKLM/System/ -s Server gtgt
  events.txt

25
Regripper

• Timeline tools
• Using RegRippers rip CLI utility
• Get System name
• C\rip r System p compname
• Parse UserAssist data
• C\rip r NTUSER.DAT p userassist_tln s
  Server
• u User gtgt events.txt

Note A number of plugins output in TLN format
26
Event Logs into the TimeLine

• Windows XP Event Logs readily parsed
• Get
• AppEvent.evt, SysEvent.evt, SecEvent.ect
• Into the TimeLine
• Evtparse d ltdirgt gtgt events.txt
• Vista and Win 7
• Much more info
• Includes driver installations
• USBs, etc.
• C\Windows\system32\winevt\Logs

27
Log Parser

• Log Parser is a good tool to parse Windows Event
  Logs
• Example
• Logparser ievt oscv elect RecordNumber,TO_UTC
  TIME(TimeGeneratde),EventID,SourceName,Strings
  from System gt d\case\system.txt
• You can replace System with d\case\system.evtx
  or d\case\.evtx
• Parse the output
• Evtxparsed \case\system.txt gtgt events.txt