timeline analysis harlan carvey: windows forensic analysis toolkit, chapter 7
Post on 21-Dec-2015
258 views
TRANSCRIPT
![Page 1: Timeline Analysis Harlan Carvey: Windows Forensic Analysis Toolkit, Chapter 7](https://reader033.vdocuments.net/reader033/viewer/2022061614/56649d625503460f94a44639/html5/thumbnails/1.jpg)
Timeline Analysis
Harlan Carvey: Windows Forensic Analysis Toolkit, Chapter 7
![Page 2: Timeline Analysis Harlan Carvey: Windows Forensic Analysis Toolkit, Chapter 7](https://reader033.vdocuments.net/reader033/viewer/2022061614/56649d625503460f94a44639/html5/thumbnails/2.jpg)
Time Line Analysis
• Lists all system events, files, browser activities in chronological order
• Multiple data sources• Multiple systems
• Becoming very important in forensic analysis• Approaches
• Automatically gather everything– Kristinn Gudjonsson : log2timeline
• Pick and choose– Harlan Carvey: This presentation
![Page 3: Timeline Analysis Harlan Carvey: Windows Forensic Analysis Toolkit, Chapter 7](https://reader033.vdocuments.net/reader033/viewer/2022061614/56649d625503460f94a44639/html5/thumbnails/3.jpg)
Carvey’s Approach
• Command line driven• Multiple tools• Guided by the objectives of the investigation• Looking for system files with date/time info
• Biggest is in the MFT– $STANDARD_INFORMATION attribute
• Event logs• Registry – every entry has time associated with it• Browser logs
![Page 4: Timeline Analysis Harlan Carvey: Windows Forensic Analysis Toolkit, Chapter 7](https://reader033.vdocuments.net/reader033/viewer/2022061614/56649d625503460f94a44639/html5/thumbnails/4.jpg)
Get the Right Tools
• Windows Forensic Analysis Toolkit• Harlan Carvey’s book• Emphasis is on Windows 7
• Get his tools for the book here• http://code.google.com/p/winforensicaanalysis/downloads/list
• Sleuthkit• Fls
• FTK Imager
![Page 5: Timeline Analysis Harlan Carvey: Windows Forensic Analysis Toolkit, Chapter 7](https://reader033.vdocuments.net/reader033/viewer/2022061614/56649d625503460f94a44639/html5/thumbnails/5.jpg)
![Page 6: Timeline Analysis Harlan Carvey: Windows Forensic Analysis Toolkit, Chapter 7](https://reader033.vdocuments.net/reader033/viewer/2022061614/56649d625503460f94a44639/html5/thumbnails/6.jpg)
Temporal Proximity
• The more current the time info is the more accurate it may be
• Because times may be altered multiple references to a particular time will increase the confidence in that time
![Page 7: Timeline Analysis Harlan Carvey: Windows Forensic Analysis Toolkit, Chapter 7](https://reader033.vdocuments.net/reader033/viewer/2022061614/56649d625503460f94a44639/html5/thumbnails/7.jpg)
TLN Format
• Pipe “|” delimited text file• 5 fields
• Time | Source | System | User | Description
• Easy to parse• The user and description fields are relatively
free form
![Page 8: Timeline Analysis Harlan Carvey: Windows Forensic Analysis Toolkit, Chapter 7](https://reader033.vdocuments.net/reader033/viewer/2022061614/56649d625503460f94a44639/html5/thumbnails/8.jpg)
Time Field
• 32-bit Unix time format• UTC• Granularity to the second• Not sufficient for time stomping analysis base
of MFT times
![Page 9: Timeline Analysis Harlan Carvey: Windows Forensic Analysis Toolkit, Chapter 7](https://reader033.vdocuments.net/reader033/viewer/2022061614/56649d625503460f94a44639/html5/thumbnails/9.jpg)
Time Formats
• 64-bit FILETIME (UTC)• Number of 100 nanosecond intervals since 1/1/1601
• 32-bit Unix time format (UTC)• Number of seconds since 1/1/1970
• String based format (local time)• 01/01/2010 2:42 PM
• SYSTEMTIME (local time)• Used some registry entries and some XP times
![Page 10: Timeline Analysis Harlan Carvey: Windows Forensic Analysis Toolkit, Chapter 7](https://reader033.vdocuments.net/reader033/viewer/2022061614/56649d625503460f94a44639/html5/thumbnails/10.jpg)
Time FormatMost often used in Windows
typedef struct _FILETIME { DWORD dwLowDateTime; DWORD dwHighDateTime; } FILETIME, *PFILETIME;
BOOL WINAPI FileTimeToSystemTime( _In_ const FILETIME *lpFileTime, _Out_ LPSYSTEMTIME lpSystemTime );
typedef struct _SYSTEMTIME { WORD wYear; WORD wMonth; WORD wDayOfWeek; WORD wDay; WORD wHour; WORD wMinute; WORD wSecond; WORD wMilliseconds; } SYSTEMTIME, *PSYSTEMTIME;
![Page 11: Timeline Analysis Harlan Carvey: Windows Forensic Analysis Toolkit, Chapter 7](https://reader033.vdocuments.net/reader033/viewer/2022061614/56649d625503460f94a44639/html5/thumbnails/11.jpg)
Source Field
• FILE – file system create dates• EVT – XP, 2000, 2003 event logs• EVTX – Vista and 7 event logs• REG – registry dates• Etc.
![Page 12: Timeline Analysis Harlan Carvey: Windows Forensic Analysis Toolkit, Chapter 7](https://reader033.vdocuments.net/reader033/viewer/2022061614/56649d625503460f94a44639/html5/thumbnails/12.jpg)
System Field
• System name• Host name• IP Address• MAC Address
![Page 13: Timeline Analysis Harlan Carvey: Windows Forensic Analysis Toolkit, Chapter 7](https://reader033.vdocuments.net/reader033/viewer/2022061614/56649d625503460f94a44639/html5/thumbnails/13.jpg)
User Field
• User associated with the event• SID• Users are often associated with registry
entries
![Page 14: Timeline Analysis Harlan Carvey: Windows Forensic Analysis Toolkit, Chapter 7](https://reader033.vdocuments.net/reader033/viewer/2022061614/56649d625503460f94a44639/html5/thumbnails/14.jpg)
Description Field
• Brief description• Sufficient information to evaluate significance• Can include spaces and special characters• Just no “|”s
![Page 15: Timeline Analysis Harlan Carvey: Windows Forensic Analysis Toolkit, Chapter 7](https://reader033.vdocuments.net/reader033/viewer/2022061614/56649d625503460f94a44639/html5/thumbnails/15.jpg)
Creating Timelines
• Usually from an acquired image• Sources
• Your system• http://www.cfreds.nist.gov/Hacking_Case.html• http://www.forensickb.com/2008/01/forensic-practical
.html– Have to convert E01 format to dd – Use FTK imager
• Requires• ActiveState Perl 5.+• Sleuthkit
![Page 16: Timeline Analysis Harlan Carvey: Windows Forensic Analysis Toolkit, Chapter 7](https://reader033.vdocuments.net/reader033/viewer/2022061614/56649d625503460f94a44639/html5/thumbnails/16.jpg)
File Meta-DataDead Box
• Use mmls to find partition• C:\case>mmls –t dos –i raw WinSP2.001
• Use fls to extract file metadataC:\case>fls –i raw –o 63 –f ntfs –r –p -m C:\ > bodyfile.txt
• -m C:\ use C:\ as the mount point in the output
• Extract relevant information from the bodyfile• Use Carvey’s Perl scriptC:\case>perl bodyfile.pl –f bodyfile.txt –s Server > events.txt
• -s Server adds the server’s name to output
![Page 17: Timeline Analysis Harlan Carvey: Windows Forensic Analysis Toolkit, Chapter 7](https://reader033.vdocuments.net/reader033/viewer/2022061614/56649d625503460f94a44639/html5/thumbnails/17.jpg)
File Meta-DataLive System or Remotely Mounted
• Open FTK Imager• Add image as an evidence item• Right click on evidence item
• “Export Directory Listing”• .csv file in case folder
![Page 18: Timeline Analysis Harlan Carvey: Windows Forensic Analysis Toolkit, Chapter 7](https://reader033.vdocuments.net/reader033/viewer/2022061614/56649d625503460f94a44639/html5/thumbnails/18.jpg)
The Directory Listing
![Page 19: Timeline Analysis Harlan Carvey: Windows Forensic Analysis Toolkit, Chapter 7](https://reader033.vdocuments.net/reader033/viewer/2022061614/56649d625503460f94a44639/html5/thumbnails/19.jpg)
Clean up the .csv File
• Change the root directory to C:\• Make it pretty• Save it as a tab delimited .cvs file
![Page 20: Timeline Analysis Harlan Carvey: Windows Forensic Analysis Toolkit, Chapter 7](https://reader033.vdocuments.net/reader033/viewer/2022061614/56649d625503460f94a44639/html5/thumbnails/20.jpg)
Into Bodyfile Format
• Have to use Carvey’s ftkparse.pl scriptPerl c:\bin\Carvey\ftkparse.pl live-dir.csv > live-bodyfile.txt
![Page 21: Timeline Analysis Harlan Carvey: Windows Forensic Analysis Toolkit, Chapter 7](https://reader033.vdocuments.net/reader033/viewer/2022061614/56649d625503460f94a44639/html5/thumbnails/21.jpg)
Into TLN Format
• Have to use Carvey’s bodyfile.pl paraserPerl C:\bin\carvey\bodyfile –f bodyfile.txt –s LapTop >
live-events.txt
![Page 22: Timeline Analysis Harlan Carvey: Windows Forensic Analysis Toolkit, Chapter 7](https://reader033.vdocuments.net/reader033/viewer/2022061614/56649d625503460f94a44639/html5/thumbnails/22.jpg)
Registry Data
• Registry key LastWrite times• Contains a time line of user/system activity• Some very useful tools
• regtime.Pl• regripper
![Page 23: Timeline Analysis Harlan Carvey: Windows Forensic Analysis Toolkit, Chapter 7](https://reader033.vdocuments.net/reader033/viewer/2022061614/56649d625503460f94a44639/html5/thumbnails/23.jpg)
Add Registry Data to the Time Line
• System config in formation• Devices that have been connected• WAPs that a laptop had been connected to• Files accessed (MRU lists)
![Page 24: Timeline Analysis Harlan Carvey: Windows Forensic Analysis Toolkit, Chapter 7](https://reader033.vdocuments.net/reader033/viewer/2022061614/56649d625503460f94a44639/html5/thumbnails/24.jpg)
Timeline Tools
• RegTime• Parses key LastWrite times for all allocated keys within
the specified hive file
Regtime –r NTUSER.DAT –m HKCU/ -s Server –u User >> events.txt
Regtime –r System –m HKLM/System/ -s Server >> events.txt
![Page 25: Timeline Analysis Harlan Carvey: Windows Forensic Analysis Toolkit, Chapter 7](https://reader033.vdocuments.net/reader033/viewer/2022061614/56649d625503460f94a44639/html5/thumbnails/25.jpg)
Regripper
• Timeline tools• Using RegRipper’s rip CLI utility
• Get System name:C:\rip –r System –p compname
• Parse UserAssist data:C:\rip –r NTUSER.DAT –p
userassist_tln –s Server
–u User >> events.txt
Note: A number of plugins output in TLN format
![Page 26: Timeline Analysis Harlan Carvey: Windows Forensic Analysis Toolkit, Chapter 7](https://reader033.vdocuments.net/reader033/viewer/2022061614/56649d625503460f94a44639/html5/thumbnails/26.jpg)
Event Logs into the TimeLine
• Windows XP Event Logs readily parsed• Get• AppEvent.evt, SysEvent.evt, SecEvent.ect
– Into the TimeLine• Evtparse –d <dir> >> events.txt
• Vista and Win 7• Much more info• Includes driver installations
– USBs, etc.• C:\Windows\system32\winevt\Logs
![Page 27: Timeline Analysis Harlan Carvey: Windows Forensic Analysis Toolkit, Chapter 7](https://reader033.vdocuments.net/reader033/viewer/2022061614/56649d625503460f94a44639/html5/thumbnails/27.jpg)
Log Parser
• Log Parser is a good tool to parse Windows Event Logs
• Example:Logparser –i:evt –o:scv “elect RecordNumber,TO_UTCTIME(TimeGeneratde),EventID,SourceName,Strings from System” > d:\case\system.txt
You can replace “System” with “d:\case\system.evtx” or “d:\case\.evtx”
• Parse the output Evtxparsed \case\system.txt >> events.txt