log2timeline Since 2009 - SANS
log2timeline Since 2009 - SANS
log2timeline Since 2009 - SANS
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
<strong>log2timeline</strong><br />
- helping you to create super timelines since <strong>2009</strong> -<br />
Kristinn Guðjónsson<br />
The 2011 Digital Forensics and Incident Response Summit<br />
Austin, TX, 2011
<strong>SANS</strong> 2011 Digital Forensics and Incident Response Summit<br />
Who am I?<br />
M.Sc. in computer and communication network engineering<br />
Worked in forensics and information security since 2005<br />
<strong>SANS</strong> certifications: GCIA, GCIH, GCFA gold<br />
<strong>SANS</strong> mentor<br />
Author of <strong>log2timeline</strong><br />
Blog author at the <strong>SANS</strong> forensics blog<br />
Author of the blog: blog.kiddaland.net
<strong>SANS</strong> 2011 Digital Forensics and Incident Response Summit<br />
Super Timeline?<br />
List of timestamps with associated data<br />
Extracted from multiple sources<br />
Filesystem<br />
Registry (Windows)<br />
L<br />
Why?<br />
We are trying to tell a story.<br />
Temporal proximity.<br />
Data correlation.
<strong>SANS</strong> 2011 Digital Forensics and Incident Response Summit<br />
Example Super Timeline<br />
Date Description<br />
Fri Jan 16 <strong>2009</strong> 23:15:20<br />
Fri Jan 16 <strong>2009</strong> 23:18:10<br />
Fri Jan 16 <strong>2009</strong> 23:18:15<br />
Fri Jan 16 <strong>2009</strong> 23:18:19<br />
Fri Jan 16 <strong>2009</strong> 23:18:19<br />
Fri Jan 16 <strong>2009</strong> 23:18:26<br />
[SetupAPI Log] (Entry written) DriverContext: Reported hardware ID(s) from device parent bus. <br />
[USBSTOR/DISK&VEN_M-SYS&PROD_DELL_MEMORY_KEY&REV_4.50/086086412140E1C2&0<br />
[USBSTOR/DISK&VEN_M-SYS&PROD_DELL_MEMORY_KEY&REV_4.50/086086412140E1C2&0]. Warning:<br />
[STORAGE/RemovableMedia/7&1ad0a3a9&0&RM<br />
[Shortcut LNK] (Modified/Access/Created) E:/Blue Harvest Business Plan v1.doc
<strong>SANS</strong> 2011 Digital Forensics and Incident Response Summit<br />
Example Super Timeline
<strong>SANS</strong> 2011 Digital Forensics and Incident Response Summit<br />
Brief History
<strong>SANS</strong> 2011 Digital Forensics and Incident Response Summit<br />
Brief History
<strong>SANS</strong> 2011 Digital Forensics and Incident Response Summit<br />
Brief History
<strong>SANS</strong> 2011 Digital Forensics and Incident Response Summit<br />
Brief History
aka the killer dwarf release
<strong>SANS</strong> 2011 Digital Forensics and Incident Response Summit<br />
Version 0.60 -‐ today<br />
Engine rewritten<br />
Front-end separated<br />
Logic in engine<br />
More of an object-oriented approach<br />
Input modules inherit parent module<br />
Makes it easier to add modules<br />
Pre-processing libraries introduced.<br />
New modules and other enhancements.
<strong>SANS</strong> 2011 Digital Forensics and Incident Response Summit<br />
Version 0.60<br />
apache2_<br />
access<br />
43 input modules<br />
11 output modules<br />
2 pre-processing modules<br />
ff_<br />
bookmark<br />
apache2_<br />
error<br />
chrome encase_<br />
dirlisting<br />
firefox2 firefox3 ftk_<br />
dirlisting<br />
evt/evtx jp_ntfs_ch<br />
ange<br />
generic_<br />
linux<br />
isatxt mactime mcafee mft mssql_<br />
errlog<br />
exif<br />
iehistory iis<br />
ntuser opera<br />
oxml pcap pdf prefetch recycler restore safari<br />
sam security setupapi skype_sql software sol squid<br />
syslog system tln volatility win_link wmiprov xpfirewall
<strong>SANS</strong> 2011 Digital Forensics and Incident Response Summit<br />
Changes in Structure<br />
Prior versions<br />
Logic in front-end<br />
Code replicated in different front-ends<br />
Input modules opened files<br />
Each file opened twice<br />
New structure<br />
Engine separated, logic there<br />
Front-end parses parameters<br />
Engine opens files
<strong>SANS</strong> 2011 Digital Forensics and Incident Response Summit<br />
How to Create a Front-‐end?<br />
#!/usr/bin/perl<br />
use Log2Timeline;; # import the library that contains the <strong>log2timeline</strong> engine<br />
my $l = Log2Timeline->new(<br />
=> '/mnt/analyze', # point to the file/directory to parse<br />
' => 1, # we want to recursively go through stuf<br />
#'hostname' => '', # to include a hostname (done in preprocessing)<br />
'input' => 'winxp', # which input modules to use (this is a Win XP machine)<br />
'output' => 'csv', # what is the output module to be used<br />
#'offset' => 0, # the time offset (if the time is wrong) 2996<br />
#'exclusions' => '', # an exclusion list of one exists<br />
#'text' => '', # text to prepend to path of files (like c:)<br />
#'append' => 0, # we are appending to an output file, instead of writing a new one<br />
'time_zone' => 'CST6CDT', # the time zone of the image<br />
'preprocess' => 1, # turn on pre-processing modules<br />
) or die( 'unable to start <strong>log2timeline</strong>');;<br />
$l->start;;<br />
sub print_line($)<br />
{<br />
my $line = shift;;<br />
print $line;;<br />
}
<strong>SANS</strong> 2011 Digital Forensics and Incident Response Summit<br />
Pre-‐Processing<br />
Gather information prior to running<br />
Not associated with timestamps<br />
Share information with input modules<br />
Two simple modules added<br />
Time zone settings and hostname<br />
Default browser, both system and user
<strong>SANS</strong> 2011 Digital Forensics and Incident Response Summit<br />
Pre-‐Processing<br />
<strong>log2timeline</strong> -f winxp -z EST5EDT -m C: -r -p . > /cases/bodyfile<br />
Start processing file/dir [.] ...<br />
Starting to parse using input modules(s): [winxp]<br />
[PreProcessing] The default browser of user smith according to registry is:<br />
(FIREFOX.EXE)<br />
[PreProcessing] Unable to determine the default browser for user default user<br />
[PreProcessing] Unable to determine the default browser for user networkservice<br />
[PreProcessing] Unable to determine the default browser for user localservice<br />
[PreProcessing] Hostname is set to SIMTTO-LAPTOP<br />
[PreProcessing] The timezone according to registry is: (USMST) US Mountain Standard<br />
Time<br />
[PreProcessing] The timezone settings are NOT overwritten so the settings might have to be<br />
adjusted.<br />
[PreProcessing] The default system browser is: : IEXPLORE.EXE ("C:\Program<br />
Files\Internet Explorer\IEXPLORE.EXE" -nohome)<br />
Loading output file: csv
<strong>SANS</strong> 2011 Digital Forensics and Incident Response Summit<br />
Pre-‐Processing<br />
date time sourcetype user desc notes<br />
Internet<br />
5/13/11 3:39:57 Explorer smith<br />
Internet<br />
5/13/11 3:39:57 Explorer smith URL::Host: My Computer<br />
Firefox 3<br />
10/22/09 15:25:52 history smith<br />
URL:file:///C:/Documents%20and%20Settings/smith/My%<br />
20Documents/THIS_IS_THE_DOCUMENT.txt<br />
Bookmark URL Karadzic plans to boycott trial<br />
(http://news.bbc.co.uk/go/rss/-/2/hi/europe/8319869.stm)<br />
[8319869.stm] count 0<br />
Not the default<br />
browser<br />
(FIREFOX.EXE)<br />
Not the default<br />
browser<br />
(FIREFOX.EXE)<br />
Default browser for<br />
user
<strong>SANS</strong> 2011 Digital Forensics and Incident Response Summit<br />
Registry Parsing<br />
Old userassist changed to ntuser<br />
Behavior changed<br />
All keys inside a hive parsed<br />
Includes code from RegRipper<br />
And regtime<br />
Added modules to parse<br />
SYSTEM<br />
SOFTWARE<br />
SAM<br />
SECURITY
<strong>SANS</strong> 2011 Digital Forensics and Incident Response Summit<br />
Filesystem Parser -‐ $MFT<br />
Ported analyzeMFT into <strong>log2timeline</strong><br />
Thanks to David Kovar for allowing me to do that<br />
$STDINFO and $FILENAME timestamps<br />
included<br />
Simple timestamp manipulation detection<br />
Prone to false positives/negatives
<strong>SANS</strong> 2011 Digital Forensics and Incident Response Summit<br />
Is There More New Stuff?<br />
Very simple first version of a Skype parser<br />
Only works on the SQLite database<br />
Grabs basic chat information<br />
Module to parse the output from jp<br />
Parses the NTFS change log<br />
Default output is now CSV<br />
Bug fixes and minor improvements<br />
date time sourcetype type user desc<br />
2/12/10<br />
Skype<br />
14:39:47 History Chat Sent<br />
1/18/10<br />
Skype<br />
22:35:35 History Chat Sent<br />
Kristinn<br />
Gudjonsson<br />
()<br />
MSG written to Rob Lee (): this is the chat <br />
(edited)<br />
Kristinn<br />
Gudjonsson<br />
() MSG written to Rob Lee ():
<strong>SANS</strong> 2011 Digital Forensics and Incident Response Summit<br />
ohh and one more thing<br />
Version 0.60 now works on Windows<br />
Instructions on how to install in docs/INSTALL<br />
Thanks to Chris Pogue for creating the install documentation
super timelines?
<strong>SANS</strong> 2011 Digital Forensics and Incident Response Summit<br />
Extraction Process<br />
Pretty tedious task<br />
Bunch of commands need to be issued<br />
Possible to write a script to make life easier<br />
Things can be simplified<br />
Remember the new structure of the front-end?<br />
And the new modules that are available?
<strong>SANS</strong> 2011 Digital Forensics and Incident Response Summit<br />
The old method<br />
timescanner z ZONE d MNTPOINT w BODYFILE<br />
fls r m C: IMAGE >> BODYFILE<br />
regtime.pl m HKLM-SYSTEM r<br />
MNTPOINT/WINDOWS/System32/config/system >> BODYFILE<br />
regtime.pl m HKLM-SAM r<br />
MNTPOINT/WINDOWS/System32/config/SAM>> BODYFILE<br />
regtime.pl m HKLM-SECURITYr<br />
MNTPOINT/WINDOWS/System32/config/SECURITY >> BODYFILE<br />
regtime.pl m HKLM-SOFTWAREr<br />
MNTPOINT/WINDOWS/System32/config/software >> BODYFILE<br />
mactime d b BODYYFILE z ZONE DATE_RANGE > CSVFILE
<strong>SANS</strong> 2011 Digital Forensics and Incident Response Summit<br />
The new (although manual)<br />
ntfs-3g does not show the $MFT file<br />
Need to extract the $MFT<br />
icat myimage.dd 0 > myimage.mft<br />
<strong>log2timeline</strong> f mft z EST5EDT m C: -w<br />
/cases/bodyfile.txt<br />
<strong>log2timeline</strong> f winxp z EST5EDT m C: -r p<br />
/mnt/windows_mount w /cases/bodyfile.txt<br />
l2t_process b /cases/bodyfile.txt 01-15-2010..01-25-2010<br />
> /cases/timeline.txt
<strong>SANS</strong> 2011 Digital Forensics and Incident Response Summit<br />
The new (automated SIFT)<br />
Simple frontend created: <strong>log2timeline</strong>-sift<br />
Included in the extra folder<br />
Can be installed easily<br />
apt-get install <strong>log2timeline</strong>-sift-perl<br />
Options:<br />
-i IMAGE_FILE<br />
-c CONF (default /etc/<strong>log2timeline</strong>/sift.conf)<br />
-z ZONE<br />
-w (is a Windows 7)<br />
-p NR
<strong>SANS</strong> 2011 Digital Forensics and Incident Response Summit<br />
<strong>log2timeline</strong>-‐sift<br />
To extract the super timeline using the script<br />
Creates a folder called /cases/timeline<br />
Partition image (not a whole disk image)<br />
<strong>log2timeline</strong>-sift z EST5EDT p 0 xp_dblake.dd<br />
Disk image:<br />
<strong>log2timeline</strong>-sift z EST5EDT disk_image.dd
<strong>SANS</strong> 2011 Digital Forensics and Incident Response Summit<br />
<strong>log2timeline</strong>-‐sift<br />
Sample run<br />
<strong>log2timeline</strong>-sift.pl -z EST5EDT -i /images/xp_dblake.dd -p 0<br />
Image file (/images/xp_dblake.dd) has not been mounted. Do you want me to mount it for<br />
you? [y|n]: y<br />
This is a partition image, let's attempt mounting it directly.<br />
Image file mounted successfully as /mnt/windows_mount<br />
Loading output file: csv<br />
[PreProcessing] Unable to determine the default browser for user donald blake<br />
[PreProcessing] Unable to determine the default browser for user default user<br />
[PreProcessing] Unable to determine the default browser for user networkservice<br />
[PreProcessing] Unable to determine the default browser for user localservice<br />
[PreProcessing] Hostname is set to ASGARD<br />
[PreProcessing] The timezone according to registry is: (EST) Eastern Standard Time<br />
[PreProcessing] The timezone settings are NOT overwritten so the settings might have to be<br />
adjusted.<br />
[PreProcessing] The default system browser is: : IEXPLORE.EXE ("C:\Program Files\Internet<br />
Explorer\iexplore.exe" -nohome)<br />
Loading output file: csv
and then what?
<strong>SANS</strong> 2011 Digital Forensics and Incident Response Summit<br />
Life After Collection<br />
Normal super timeline contains LOT of data<br />
Finally we have something to spend time on<br />
Necessary to reduce the dataset<br />
How?<br />
Read at the speed of light<br />
Use mactime output and the script mactime<br />
Load everything into Excel and pray<br />
Use databases or Splunk<br />
The good ol grep method<br />
grep \/1[2-9]\ timeline.txt
<strong>SANS</strong> 2011 Digital Forensics and Incident Response Summit<br />
Is There a Life After Collection?<br />
<br />
<br />
l2t_process added to meet this demand<br />
Included with <strong>log2timeline</strong><br />
Works in a similar fashion as mactime<br />
Parses the CSV and TAB format of <strong>log2timeline</strong>
<strong>SANS</strong> 2011 Digital Forensics and Incident Response Summit<br />
l2t_process<br />
Usage<br />
l2t_process b BODYFILE [-w white] [-k dirty] [DATE_RANGE]<br />
What does it do you ask?<br />
Sort entries based on time<br />
Filter based on date range<br />
Removes duplicate entries<br />
Compare entries to a keyword or whitelist file<br />
<br />
Create scatter plots
<strong>SANS</strong> 2011 Digital Forensics and Incident Response Summit<br />
l2t_process -‐ keyword<br />
$cat keyfile<br />
this_is_the<br />
$l2t_process b timeline.txt -k keyfile > time_key.txt<br />
Building keyword list...DONE (1 keywords loaded)<br />
Total number of events that fit into the filter (got printed) = 16<br />
Total number of duplicate entries removed = 3<br />
Total number of events skipped due to keyword filtering = 1281973<br />
Total number of processed entries = 1281989<br />
Run time of the tool: 36 sec<br />
cat time_key.txt<br />
date,time,timezone,MACB,source,sourcetype,type,user,host,short,desc,version,filename<br />
,inode,notes,format,extra<br />
04/20/2011,08:06:32,EST5EDT,...B,FILE,NTFS $MFT,$SI [...B] time,-,-,c:/Documents<br />
and Settings/smith/My Documents/THIS_IS_THE_DOCUMENT.txt,{SUSP ENTRY<br />
- timestomp? - second prec. $SI [MACB] FN rec AFTER SI rec} c:/Documents and<br />
Settings/smith/My Documents/THIS_IS_THE_DOCUMENT.txt,2,c:/Documents<br />
and Settings/smith/My Documents/THIS_IS_THE_DOCUMENT.txt,18113,-<br />
,Log2t::input::mft,-
<strong>SANS</strong> 2011 Digital Forensics and Incident Response Summit<br />
Timestamp Manipulation<br />
Done through the Windows API<br />
ZwSetInformationFile<br />
NtSetInformationFile<br />
Allows setting the whole 64 bits<br />
Many tools only use second precision<br />
Timestomp from Metasploit one of those:<br />
/* it doesnt matter what the millisecond value is because the ntfs resolution for file timestamps is only<br />
up to 1s */<br />
systemtime->wMilliseconds = 0;;<br />
The API only changes the $STDINFO timestamp<br />
The $FILENAME is untouched
<strong>SANS</strong> 2011 Digital Forensics and Incident Response Summit<br />
How Do We Then Detect Those Manipulations?<br />
Two methods<br />
Detect timestamps that have ms equal to zero<br />
Detect timestamps where $FN occurs later than<br />
$SI<br />
Problems with this approach<br />
Not all files with zero ms. <br />
$FN timestamps are updated when files are<br />
copied or moved<br />
Pretty easy to fool<br />
Use methods that set the ms. to a random value
<strong>SANS</strong> 2011 Digital Forensics and Incident Response Summit<br />
Other methods<br />
Sequential MFT entry number allocation<br />
Malware often hides inside Windows\System32<br />
Patches update several files<br />
Malware introduces few changes<br />
<br />
What l2t_process does to detect manipulations<br />
$MFT module includes notes if entries are suspicious<br />
The i (include) option includes suspicious entries<br />
outside the date range<br />
Maps the relationship between MFT entry nr. and<br />
creation time
Scatter Plots<br />
[2139] /WINDOWS/system32/evil.exe [{SUSP ENTRY - second prec. $SI [M...] FN rec AFTER SI rec} ]
<strong>SANS</strong> 2011 Digital Forensics and Incident Response Summit<br />
Summary<br />
log2timline has been evolving since <strong>2009</strong><br />
And keeps doing that<br />
Developed on my own time<br />
Donations and feedback run tool development<br />
Version 0.60 allows complete super timeline creation<br />
And runs on most platforms<br />
Easy to integrate into other scripts<br />
l2t_process assists with data reduction