Timeline Analysis Harlan Carvey: Windows Forensic Analysis Toolkit, Chapter 7.

Slides:



Advertisements
Similar presentations
Working with the Windows Registry Computer Club of the Sandhills November 12, 2012.
Advertisements

Intro to WinHex CSC 414.
CSN11121/CSN11122 System Administration and Forensics Windows Registry & Timeline
OPEN SOURCE TOOLS Dr. Abraham Professor UTPA. Open Source Freely redistributable Provides access to source code End user may modify source code.
Oregon Presented by: John Ritchie Date: August 9 th, 2011 – GFIRST7 INFECTED! Using the Oregon SIRT Malware Toolkit to Safely Determine Source, Vector.
Mastering Windows Network Forensics and Investigation Chapter 15: Forensic Analysis of Event Logs.
Effective Discovery Techniques In Computer Crime Cases.
The Sleuth Kit Brian Carrier Set of tools to analyze device images.
Computer Forensic Tools. Computer Forensics: A Brief Overview Scientific process of preserving, identifying, extracting, documenting, and interpreting.
RegRipper Harlan Carvey.
Computer & Network Forensics
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 5: Managing File Access.
MIS Chapter 81 Ch. 8 – Implementing and Managing Printers MIS 431 – created Spring 2006.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 5: Managing File Access.
Hands-On Microsoft Windows Server 2003 Administration Chapter 5 Administering File Resources.
Computer Forensics Principles and Practices by Volonino, Anzaldua, and Godwin Chapter 6: Operating Systems and Data Transmission Basics for Digital Investigations.
70-270, MCSE/MCSA Guide to Installing and Managing Microsoft Windows XP Professional and Windows Server 2003 Chapter Nine Managing File System Access.
Fall 2011 Nassau Community College ITE153 – Operating Systems Session 24 NTFS Permissions and Sharing Printers 1.
Guide to Linux Installation and Administration, 2e1 Chapter 12 Printing in Linux.
MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 8 Introduction to Printers in a Windows Server 2008 Network.
Hands-On Microsoft Windows Server 2003 Administration Chapter 6 Managing Printers, Publishing, Auditing, and Desk Resources.
File Analysis Chapter 5 – Harlan Carvey Event Logs File Metadata.
Module 6: Managing Data Storage. Overview Managing File Compression Configuring File Encryption Implementing Disk Quotas.
Check Disk. Disk Defragmenter Using Disk Defragmenter Effectively Run Disk Defragmenter when the computer will receive the least usage. Educate users.
Installing Windows XP Professional Using Attended Installation Slide 1 of 41Session 2 Ver. 1.0 CompTIA A+ Certification: A Comprehensive Approach for all.
1 Chapter Overview Introduction to Windows XP Professional Printing Setting Up Network Printers Connecting to Network Printers Configuring Network Printers.
Operating System & Application Files BACS 371 Computer Forensics.
Mastering Windows Network Forensics and Investigation Chapter 9: Registry Evidence.
COEN 252 Computer Forensics
OS and Application Files BACS 371 Computer Forensics.
An Automated Timeline Reconstruction Approach for Digital Forensic Investigations Written by Christopher Hargreaves and Jonathan Patterson Presented by.
Mastering Windows Network Forensics and Investigation Chapter 11: Text Based Logs.
Sleuthkit/Autopsy Kevin Krause.
Section 6.1 Explain the development of operating systems Differentiate between operating systems Section 6.2 Demonstrate knowledge of basic GUI components.
Mastering Windows Network Forensics and Investigation Chapter 9: Registry Evidence.
Eucalyptus Virtual Machines Running Maven, Tomcat, and Mysql.
Fundamentals of Networking Discovery 1, Chapter 2 Operating Systems.
ACCESSDATA® FORENSICS Windows 7 Registry Artifacts
WINDOWS SYSTEMS AND ARTIFACTS John P. Abraham Professor UTPA.
Thrive Installation.
Analyzing an Image using MAC Systems Sleuth kit version & Autopsy 2.24 Page 325 from “Guide to Computer Forensics and Investigations 4th edition”
F9-Common Forensic Analysis Techniques Dr. John P. Abraham Professor UTPA.
Mastering Windows Network Forensics and Investigation Chapter 12: Windows Event Logs.
IT Essentials 1 v4.0 Chapters 4 & 5 JEOPARDY RouterModesWANEncapsulationWANServicesRouterBasicsRouterCommands RouterModesWANEncapsulationWANServicesRouterBasicsRouterCommands.
ITE 1 Chapter 5. Chapter 5 is a Large Chapter It has a great deal of useful information about operating systems. You will find this VERY helpful when.
Teaching Digital Forensics w/Virtuals By Amelia Phillips.
How to Create Shapefiles For NiJel Using QGIS: Before you start creating shapefiles make sure you have OpenOffice install, QGIS, and File Transfer Protocol.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 5: Managing File Access.
Chapter 17 ©2011 Eoghan Casey. Published by Elsevier Inc. All rights reserved. Forensic Examination of Windows Systems.
SUS Commander Sean Merritt. Background Department of Natural Resources uses a Software Update Server to update the user’s PCs. The log files are cryptic.
5. Windows System Artifacts Part 1. Topics Deleted data Hibernation Files Registry.
Tool Names: 1. VISION 2. PASCO 3. GALLETA. Tool 1 VISION.
1 Chapter 2: Working with Data in a Project 2.1 Introduction to Tabular Data 2.2 Accessing Local Data 2.3 Accessing Remote Data 2.4 Importing Text Files.
Agilent Technologies Copyright 1999 H7211A+221 v Capture Filters, Logging, and Subnets: Module Objectives Create capture filters that control whether.
IST 222 Day 3. Homework for Today Take up homework and go over Go to Microsoft website and check out their hardware compatibility list.
Managing Services and Registry Chapter 16 powered by dj.
Microsoft Windows XP Professional MCSE Exam
Registry Forensics COEN 152 / 252. Registry: A Wealth of Information Information that can be recovered include:  System Configuration  Devices on the.
XP New Perspectives on Macromedia Dreamweaver MX 2004 Tutorial 5 1 Adding Shared Site Elements.
Investigations 2016 First semester [ 12 week ]-Forensic Analysis of the Windows 7 Registry.
Bash Introduction (adapted from chapters 1 and 2 of bash Cookbook by Albing, Vossing, & Newham) CPTE 440 John Beckett.
Services Course 9/9/2018 9:54 PM Services Course Windows Live Hotmail Participant Guide © 2008 Microsoft Corporation. All rights reserved.
Introduction to Computers
RegRipper Harlan Carvey.
Windows Under the Hood Chapter 13.
Instructions for Windows users:
Instructions for Windows users:
- Microsoft Windows Unquoted Service Path Enumeration vulnerability.
bitcurator-access-webtools Quick Start Guide
Timeline Generation and Analysis
Presentation transcript:

Timeline Analysis Harlan Carvey: Windows Forensic Analysis Toolkit, Chapter 7

Time Line Analysis Lists all system events, files, browser activities in chronological order Multiple data sources Multiple systems Becoming very important in forensic analysis Approaches Automatically gather everything – Kristinn Gudjonsson : log2timeline Pick and choose – Harlan Carvey: This presentation

Carvey’s Approach Command line driven Multiple tools Guided by the objectives of the investigation Looking for system files with date/time info Biggest is in the MFT – $STANDARD_INFORMATION attribute Event logs Registry – every entry has time associated with it Browser logs

Get the Right Tools Windows Forensic Analysis Toolkit Harlan Carvey’s book Emphasis is on Windows 7 Get his tools for the book here Sleuthkit Fls FTK Imager

Temporal Proximity The more current the time info is the more accurate it may be Because times may be altered multiple references to a particular time will increase the confidence in that time

TLN Format Pipe “|” delimited text file 5 fields Time | Source | System | User | Description Easy to parse The user and description fields are relatively free form

Time Field 32-bit Unix time format UTC Granularity to the second Not sufficient for time stomping analysis base of MFT times

Time Formats 64-bit FILETIME (UTC) Number of 100 nanosecond intervals since 1/1/ bit Unix time format (UTC) Number of seconds since 1/1/1970 String based format (local time) 01/01/2010 2:42 PM SYSTEMTIME (local time) Used some registry entries and some XP times

Time Format Most often used in Windows typedef struct _FILETIME { DWORD dwLowDateTime; DWORD dwHighDateTime; } FILETIME, *PFILETIME; BOOL WINAPI FileTimeToSystemTime( _In_ const FILETIME *lpFileTime, _Out_ LPSYSTEMTIME lpSystemTime ); typedef struct _SYSTEMTIME { WORD wYear; WORD wMonth; WORD wDayOfWeek; WORD wDay; WORD wHour; WORD wMinute; WORD wSecond; WORD wMilliseconds; } SYSTEMTIME, *PSYSTEMTIME;

Source Field FILE – file system create dates EVT – XP, 2000, 2003 event logs EVTX – Vista and 7 event logs REG – registry dates Etc.

System Field System name Host name IP Address MAC Address

User Field User associated with the event SID Users are often associated with registry entries

Description Field Brief description Sufficient information to evaluate significance Can include spaces and special characters Just no “|”s

Creating Timelines Usually from an acquired image Sources Your system practical.html practical.html – Have to convert E01 format to dd – Use FTK imager Requires ActiveState Perl 5.+ Sleuthkit

File Meta-Data Dead Box Use mmls to find partition C:\case>mmls –t dos –i raw WinSP2.001 Use fls to extract file metadata C:\case>fls –i raw –o 63 –f ntfs –r –p -m C:\ > bodyfile.txt -m C:\ use C:\ as the mount point in the output Extract relevant information from the bodyfile Use Carvey’s Perl script C:\case>perl bodyfile.pl –f bodyfile.txt –s Server > events.txt -s Server adds the server’s name to output

File Meta-Data Live System or Remotely Mounted Open FTK Imager Add image as an evidence item Right click on evidence item “Export Directory Listing”.csv file in case folder

The Directory Listing

Clean up the.csv File Change the root directory to C:\ Make it pretty Save it as a tab delimited.cvs file

Into Bodyfile Format Have to use Carvey’s ftkparse.pl script Perl c:\bin\Carvey\ftkparse.pl live-dir.csv > live- bodyfile.txt

Into TLN Format Have to use Carvey’s bodyfile.pl paraser Perl C:\bin\carvey\bodyfile –f bodyfile.txt –s LapTop > live-events.txt

Registry Data Registry key LastWrite times Contains a time line of user/system activity Some very useful tools regtime.Pl regripper

Add Registry Data to the Time Line System config in formation Devices that have been connected WAPs that a laptop had been connected to Files accessed (MRU lists)

Timeline Tools RegTime Parses key LastWrite times for all allocated keys within the specified hive file Regtime –r NTUSER.DAT –m HKCU/ -s Server –u User >> events.txt Regtime –r System –m HKLM/System/ -s Server >> events.txt

Regripper Timeline tools Using RegRipper’s rip CLI utility Get System name: C:\rip –r System –p compname Parse UserAssist data: C:\rip –r NTUSER.DAT –p userassist_tln –s Server –u User >> events.txt Note: A number of plugins output in TLN format

Event Logs into the TimeLine Windows XP Event Logs readily parsed Get AppEvent.evt, SysEvent.evt, SecEvent.ect – Into the TimeLine Evtparse –d >> events.txt Vista and Win 7 Much more info Includes driver installations – USBs, etc. C:\Windows\system32\winevt\Logs

Log Parser Log Parser is a good tool to parse Windows Event Logs Example: Logparser –i:evt –o:scv “elect RecordNumber,TO_UTCTIME(TimeGeneratde),EventID,Sou rceName,Strings from System” > d:\case\system.txt You can replace “System” with “d:\case\system.evtx” or “d:\case\.evtx” Parse the output Evtxparsed \case\system.txt >> events.txt

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.