Using timeline analysis during investigations can be extremely useful yet it sometimes misses important events that are stored inside files on the suspect system (log files, OS artifacts). By solely depending on traditional filesystem timeline you may miss some context that is necessary to get a complete picture of what really happened. So to get "the big picture", or a complete and accurate description we need to dig deeper and incorporate information found inside artifacts or log files into our timeline analysis. These artifacts or log files could reside on the suspect system itself or in another device, such as a firewall or a proxy (or any other device that logs down information that might be relevant to the investigation).
Unfortunately there are few tools out there that can parse and produce body files from the various artifacts found on different operating systems to include with the traditional filesystem analysis. A version of mactime first appeared in The Coroner's Toolkit (TCT) (Dan Farmer) and later mac-daddy (Rob Lee). Harlan Carvey has been working on some scripts for the Windows platform to accomplish this, such as regtime.pl to create a body file from the registry. Usually these tools are build specifically to parse a single file/artifact that is of a particular format (such as a tool just to produce a body file from restore points). I've released some tools like that, as well as H. Carvey and others. I know of one attempt to create a framework to correlate different artifacts into a timeline, a project called Ex-Tip, by Mike Cloppert. There is a GCFA gold paper describing the framework as well as a blog post on the SANS blog. This project was started in May 2008, but unfortunately hasn't been maintained since then. Instead of extending that project I decided to start my own, that is to add a tool that can correlate information found inside different log files and artifacts into the traditional timeline analysis. The idea with this tool is to create a framework that can be easily extended to add new log parsers or new output plugins. For the framework to be useful I wanted to be able to easily integrate this tool into already existing tools that deal with timeline analysis, so I chose to implement an output plugin that produces timelines in a mactime body format, to be used with the tool mactime from TSK (The SleuthKit). This tool is called log2timeline and already supports incorporating 12 different log files/artifacts into the timeline.
- Prefetch directory (reads the content of the directory and parses files found inside)
- UserAssist key info (reads the NTUSER.DAT user registry file to parse the content of UserAssist keys)
- Squid access logs (with emulate_httpd_log off)
- Restore points (reads the content of the directory and parses rp.log file inside each restore point)
- Windows shortcut files (LNK)
- Firefox 3 history file (places.sqlite)
- Windows Recycle Bin (INFO2)
- Windows IIS W3C log files
- OpenXML Metadata (for metadata inside Office 2007 documents)
- ISA Server text export from queries (saved to clipboard and from there to a text file)
- TLN (Timeline) body file
- Mactime body file (so it can be output in a different format)
To show an example of the usage of the tool, let's follow this scenario:
You are working for corporation X. You have been approached by a member of the HR team as well as the legal team. You are supposed to examine the workstation of one of the employees, a man named Joe. He is suspected of reading documents that he is not allowed to do (a document named "Very secret document.txt" and "Not to be seen document.txt") as well as to delete one of those documents. He might as well have installed a wiping software on his machine. According to corporate policies users are not allowed to install software on their machine (although they have the rights to do so, as they are members of the Administrator group on their workstations) and Internet Explorer is the only allowed browser.
First of all you need to start thinking about this particular case, that is:
- What are you asked to find? (what questions to answer)
- What data do you need to examine to answer those questions?
- How do we extract that data?
- What does that data tell you?
So for this particular case we have the following. We are asked to answer these questions;
- Did the user Joe read the documents "Very secret document.txt" and "Not to be seen document.txt"
- Did the user Joe delete one of those documents
- Did user Joe install a software designed to wipe documents
Next we need to find out what data we need to extract to get those information as well as to ask ourself what that data tells us. For this particular case we would need the following (at least to begin with):
- Examine MACB times of the documents in question (they are stored inside "My Documents" folder of the user Administrator). Since we know by talking to the user Administrator, he has not logged on to the machine since the alleged policy violation occurred so last access time to the documents might indicate that someone read them.
- Examine timeline of the user Joe. This could tell us what the user was doing on the day in question (4th of August)
- Extract information found inside the Windows Prefetch folder. This could tell us the last time a particular software was started, possibly indicating that a wiping software had been used or a software to read the text documents in question
- Examine the Recycle Bin for deleted documents. It is possible that the document that is suspected of being deleted still sits in the Recycle Bin
- Examine deleted documents from the unallocated space. See if we can find traces of the file on the unallocated space of the hard drive, indicating that it had been deleted.
- Examine we history of user Joe. There is a suspicion that he installed a wiping software, so examining the web history could lead us to such activity
- Examine the Windows shortcut files that are created inside Recent Documents folder of the user Joe. This folder contains shortcut files (LNK) that point to the documents that are last opened by the user, possibly indicating that the user Joe opened the document in question (if the user did not delete the shortcut files after the fact).
- Examine the registry file of the user Joe. The registry contains wealth of information, so examining that could give us clues about the behavior of the user Joe.
- And most likely some other clues, such as examining system registry, event logs, etc.
Tomorrow we will explore this particular hypothetical case in more detail, using the tool log2timeline to create a timeline and analyze it.
