Timeline Generation and Analysis “So teach us to number our days, that we may apply our hearts unto wisdom.” - King James Bible, Psalms 90:12

Overview Timelines Rationale Windows Time Formats Timeline Concepts Context & Granularity Relative Confidence Temporal Proximity Top Down v. Bottom Us Timeline Tools Plaso Python-evtx Additional Options

Timelines - why? A great deal of the analysis forensic investigators do comes down to definable events occurring at certain times, respective to and correlated with each other or some external source. Time of malware infection. Time intruder gained access to system Window of exposure - how long a system was compromised or PII or other sensitive data at risk of exposure. When contraband images were created and how long they persisted on system. One of the most important questions for a forensic investigator is “when?”

Timelines - why? Space and Time Efficient Storage space as exponentially increased 2TB-4TB hard drives common these days. External media capacity and use increasing as well. Metadata is far smaller than all the data in a storage device. KB vs GB or TB. Metadata is all text based so can be compressed and parsed quickly. Relevant timeline data can be extracted, compressed, transferred for analysis, and processed far more easily than imaged media. Can begin timeline analysis while waiting for images to copy.

Time Formats How measure time UTC & GMT UTC: Coordinated Universal Time GMT: Greenwich Mean Time The two are generally considered interchangeable in common usage. UTC Is the primary standard by which the world regulates clocks and defines time.

Time Formats How measure time Time Zones Time zones are defined based on their offset from UTC. The UTC time zone is centered on the Prime Meridian running through Greenwich, London, UK. You need to be aware of what timezone(s) your time stamps are from and adjust them as appropriate.

FILETIME FILETIME 64 bit format Counts number of 100-nanosecond intervals since 1601-01-01T 0000 UTC. Struct & definitions: https://msdn.microsoft.com/en- us/library/ms724284(v=vs.85).aspx Most common time format File times Registry key LastWrite times ShutdownTime value in Registry System hive.

Unix Time Format 32 bit format Records number of seconds since 1970-01-01T 0000 UTC. Struct & Definitions: https://msdn.microsoft.com/en- us/library/aa363646(VS.85).aspx Used in the TimeGenerated and TimeWritten values in .evt logs.

DOSDate 32 bit format 16 bits hold date 16 bits hold time https://msdn.microsoft.com/en- us/library/windows/desktop/ms724274(v=vs.85).aspx Found in shell items, Jump Lists, some registry keys.

String Format Similar to what users see when interacting with GUI elements. Stored in local system time after converting from UTC. Ex: “01/02/2010 2:42 PM.” IIS web server logs stored in this format (but with comma delimiters)

SYSTEMTIME Struct that records each individual time segment. Stored in local system time after converting from UTC https://msdn.microsoft.com/en-us/library/ms724950(v=vs.85).aspx Found in some Registry values.

Applications Applications will choose their own time formats! Just in case you thought Windows was already too standardized...

Concepts - Context & Granularity Context: Correlating information from multiple data sources adding details to the activity around a specific event. Examining other activities occuring on the system at or near the time of the event we’re interested in. Ex. See that a file was loaded onto the system and then shortly thereafter another file was created in a suspicious location. In networked environments can build a timeline combining data from multiple systems and sources. Granularity: The level of detail on the timeline based on the data sources included. Each data source we add to a timeline increases the details available.

Relative Confidence A good timeline increases relative confidence in our data and conclusions Some data sources are more easily mutable than others. Generally, we put more confidence in a data source the less mutable it is. Timestamps in $STANDARD_INFORMATION attribute in the MFT can be easily modified using accessible APIs, but the $FILE_NAME attribute is less easily accessible. No API to change Registry key LastWrite times. All data sources for our timeline have a relative level of confidence that the timestamp information is correct. Use higher confidence data to corroborate lower confidence data.

Temporal Proximity Measure of how close events are in time. In Analysis: High Temporal proximity helps establish context or relation between artifacts. In Triage / Investigation Most timestamp metadata only holds the most recent entry. Historical values are not retained When writing to a file the previous modified value is overwritten.

Temporal Proximity Investigations need to be made in close temporal proximity to the relevant incident in order to preserve timestamped data that be modified or overwritten by normal system activities. A large temporal gap can explain an apparent lack of indicators of specific activity.

Relative Times Our timeline is a series of discrete points. But time is not a discrete set of points, it’s a continuous flow. A program does not execute at a specific time. It begins execution at a specific time, it continues execution, and it eventually halts at a specific time. We may not be able to recover all the artifacts covering the entirety of this timespan. Think about the types of relative times, before, after, and during.

Before & After Any discrete point in the timeline can be described as having occurred before or after any other discrete point. An event depending on another event cannot occur prior to the dependency. Ex. File System create time is the start point for all file system time points. File MAC times before file system creations have been falsified, intentionally or otherwise.

Before & After Consider the temporal dependency of the events you examine. Narrows down the scope of wear to search. Exposes additional information.

During Describes a set of time data with a finite beginning and end - an event with duration. Time of compromise - the window from initial intrusion to successful remediation. Windows between logins and logouts to logins. Helps manage the scope of investigation and filter out extraneous data.

Inferred Times Absolutely granular time points may not be available or are available but misleading. Inferred time is an estimated time frame reconstructed from other data. In Digital Forensics with Open Source Tools the author provides a detailed example of timelining a deleted file entry using inferred times on p 234-235.

Embedded Times File metadata often includes temporal metadata, such as photo creation time in a picture. Embedded times can travel with files as they moves from system to system. Generally require separate tools or APIs to change compared to system artifacts. Can be recovered after deletion and removal of file system metadata structures. Embedded Inferred Time - can deduce information about file creation based on metadata fields. Ex, PDF files often contain name and version of software used to generate them.

Periodicity The time period between events. The opposite of frequency - how often something occurs per unit of time. Very useful in searching for suspicious network traffic. Backdoor programs usually have a highly fixed period for communicating with their controllers. Though so do most auto-updaters.

Periodicity Variance in time periods Human activity will vary. Automated traffic usually has very precise fixed intervals. Speed of time periods Automation and scripts far faster than humans. Correlate with other times What would you think of a lab machine accessed after hours every Thursday between 2300 and 0000?

Frequency Patterns and Outliers Any activity that doesn’t match typical patterns. Least Frequency of Occurrence Malware authors and intruders usually want to minimize their footprint to avoid detection. Malicious activity is often the least frequent type of activity.

Frequency Patterns and Outliers Least Frequency of Occurrence Look for the small anomalies, not massive spikes of activity Interested in the small, infrequent things we may not otherwise notice in all the noise on a system or infrastructure. Not looking for a needle in a haystack but instead looking for hey that doesn’t belong in the haystack Ex, to minimize changes attackers will often prefer to compromise existing user accounts rather than create new accounts. Though if create accounts to maintain persistence, what’s one account among thousands in an Active Directory?

Top Down versus Bottom Up Some analysts prefer to use a kitchen sink approach Begin by including as much data in your timelines as possible. Then filter and parse until you sift out the most relevant data. Others prefer the bottom up approach Minimalist Build timeline one layer at a time as analysis continues. An analysts approach must be chosen based on the goals of the examination, the analyst’s comfort with their knowledge of the data and tools, any documented processes and procedures employed by the analyst, and the analyst’s preference.

Timeline Tools - Plaso Python based rewrite of the Perl log2timeline Parses many different types of artifacts Windows Event Logs Windows Registry Windows Prefetch Browser History Anti-virus Logs Windows Filewall Pcap So much more

Timeline Tools - Plaso Creates a so-called “supertimeline” which combines results from many different sources. Documentation: https://github.com/log2timeline/plaso/wiki

Plaso Architecture Four stages Preprocessing Collection Worker Storage

Plaso Preprocessing Stage Collects the following: OS version Hostname Time Zone Information Default Applications Enumeration of all users and ports

Plaso Collection Stage Goes over image, directory, or mount point and finds all files the tool can process. Option 1: recursively processes all files Option 2: If VSS (shadow copies) are used, a hash is calculated based on the MAC timestamps of each file. Only new, uncollected files included. Option 3: Targeted collection: only collects from a set of defined file paths and patterns.

Plaso Worker Worker Main part - monitors process queue and processes each file Actions for each file: Determine file type Determine which parser to apply Parse file and extract events Apply some set of defined filters Send extracted events to storage queue Determine if this file contains further files to process and if yes process them as well

Storage Stage Storage Events from storage queue written to disk

Plaso Framework Tools log2timeline Main command line frontend. Extracts events from an image, mount point or file, and saves it into a Plaso storage file for future processing and analysis. Pinfo Allows extraction of information in a Plaso storage file. pprof Small tool of interest to developers trying to optimize parsers

Plaso Framework Tools preg Different frontend for the registry parser. Parses an image or registry hive Provides a console or shell to work with the registry Pshell iPython console to the Plaso backend Provides user access to all Plaso libraries. Provides access to more advanced analysis, debugging, and experimentation.

Plaso Framework Tools Psort Converts Plaso storage format to a human-readable form.

Using Log2Timeline Mount the image: Typically: mount -o ro,loop,show_sys_files_streams_interface=windows,offset=<files_sy s_offset> <mount_location> Run log2timeline log2timeline-sift -z <examined_system_timezone> -p <partition> -i <image> Filter Timeline L2t_process -b timeline.csv MM-DD-YYY..MM-DD-YYY - k<keywords.txt> > filtered.csv

Using Log2Timeline In depth resources SANS log2timeline cheat sheet Very useful Should already be in your SIFT workstation

Plaso in Practice Assume we have a hard drive image from an infected Win7 PC and seek to determine how the infection occurred. First we need to determine the partitions with Sleuth Kit mmls ~/mnt/image.dd Find NTFS offset at 206848

Plaso in Practice Then build body file with log2timeline log2timeline.py -p --parsers win7 -z UTC -o 206848 timeline.body ~/mnt/image.dd

Plaso In Practice We will use a dynamic output format which allows setting of filtering rules using SQL-like requests. Date Time Timezone Source Message User Host inode Filename MACB Timestampt_desc Parser

Plaso in Practice Assume we elsewhere found the suspicious file ZkPECED.exe. psort.py -q -o dynamic timeline.body “select date,time,timezone,macb,filename,inode where parser is ‘PFileStatParser’ and filename contains ‘ZkPECED’” Can see that two files ZkPECED.tmp and ZkPECED.exe created in \Users\Alina\AppData\Local\Temp directory at 2014-04-08T 12:39:08 UTC.

Plaso in Practice Now determine where the file came from by searching events occurring within 10 minutes ten minutes psort.py -q -o dynamic --slice”2014-04-08 12:39:08” --slice_size 10 timeline.body “select date,time,timezone,macb,filename,inode where parser is ‘PFileStatParser’” | grep -iE “\/exe$”

Plaso In Practice Discover that just prior to the appearance of ZkPECED.exe the metadata of a file in the systemhost directory with suspicious name 24FC2AE3CB0.exe (indoe 46912) changed (meaning renamed or moved locally) even though MAC times refer back to 2010: psort.py -q -o dynamic timeline.body “select date,time,timezone,macb,inode,filename where parser is ‘PfileStatParser’ and inode==46912”

Plaso in Practice Use TSK’s istat to learn about 24FC2AE3CB0.exe istat -o 206848 ~/mnt/image.dd 46912 See the timestamps in $STANDARD_INFORMA TION and $FILENAME do not maps, which likely indicates manually changed

Plaso In Practice Thus we can assume that the 24FC2AE3CB0.exe file (inode 46912) was created 2018-04-04 at 12:31:44 UTC and that it’s timestamps were changed “manually”, a likely sign of malware.

Python-evtx Open Source pure Python parser for EVTX files. Provides programmatic access to File & Chunk headers, record templates, and event entries Available on github: https://github.com/williballenthin /python-evtx Inspired by and based on the Perl Implemented Pare-Evtx. Install from pip: pip install python- evtx

Python-evtx Functions evtxinfo.py prints metadata about the event log and verifies checksums in each chung evtxtemplates.py builds and prints the templates used in the event log evtxdump.py pasres the event log outputs human readable UTF-8 XML Author also produced EVTXtract, for carving EVTX files from binary data including unallocated space and memory images. Available at https://github.com/williballenthin/EVTXtract pip install evtxtract

Parse-evtx Perl based scanner Available At: http://computer.forensikblog.de/en/2011/11/evtx-parser- 1-1-1.html

Native Microsoft Tools Event Viewer wevtutil.exe Microsoft Log Parser Microsoft’s Log Viewing Tool Requires Windows OS to run. Uses native API for processing event files. So type of file analyzed must match the type the OS uses to logs. EVTX system can’t parse EVT.

The Sleuth Kit Makes timelines of the MFT fls -o 63 -f fat -m / -r images/disk.dd > body.txt mactime -b body.txt [DATE_RANGE]

Highly Useful References Digital Forensic SIFTing: SUPER Timeline Creation using log2timeline: https://digital-forensics.sans.org/blog/2011/12/07/digital-forensic- sifting-super-timeline-analysis-and-creation Log2timeline cheatsheet: https://digital- forensics.sans.org/media/log2timeline_cheatsheet.pdf SANS DFIR WebCast - Super Timeline Analysis: https://youtu.be/C4jNfXZ90fw

More Reference Reading https://docs.microsoft.com/en-us/previous-versions/windows/it- pro/windows-server-2008-R2-and-2008/cc722404(v=ws.11) https://countuponsecurity.com/2015/11/23/digital-forensics- supertimeline-event-logs-part-i/ https://countuponsecurity.com/2014/08/25/forensics-evidence- processing-super-timeline/ https://countuponsecurity.com/2015/11/10/digital-forensics-ntfs- metadata-timeline-creation/ https://msdn.microsoft.com/en-us/library/bb726966.aspx

More Reference Reading https://www.sans.org/reading-room/whitepapers/logging/detecting- security-incidents-windows-workstation-event-logs-34262 http://www.dfrws.org/sites/default/files/session-files/paper- introducing_the_microsoft_vista_log_file_format.pdf

Questions?