Presentation is loading. Please wait.

Presentation is loading. Please wait.

Timeline Generation and Analysis

Published byOldřich Kopecký Modified over 5 years ago

Similar presentations

Presentation on theme: "Timeline Generation and Analysis"— Presentation transcript:

1 Timeline Generation and Analysis
“So teach us to number our days, that we may apply our hearts unto wisdom.” - King James Bible, Psalms 90:12

2 Overview Timelines Rationale Windows Time Formats Timeline Concepts
Context & Granularity Relative Confidence Temporal Proximity Top Down v. Bottom Us Timeline Tools Plaso Python-evtx Additional Options

3 Timelines - why? A great deal of the analysis forensic investigators do comes down to definable events occurring at certain times, respective to and correlated with each other or some external source. Time of malware infection. Time intruder gained access to system Window of exposure - how long a system was compromised or PII or other sensitive data at risk of exposure. When contraband images were created and how long they persisted on system. One of the most important questions for a forensic investigator is “when?”

4 Timelines - why? Space and Time Efficient
Storage space as exponentially increased 2TB-4TB hard drives common these days. External media capacity and use increasing as well. Metadata is far smaller than all the data in a storage device. KB vs GB or TB. Metadata is all text based so can be compressed and parsed quickly. Relevant timeline data can be extracted, compressed, transferred for analysis, and processed far more easily than imaged media. Can begin timeline analysis while waiting for images to copy.

5 Time Formats How measure time UTC & GMT
UTC: Coordinated Universal Time GMT: Greenwich Mean Time The two are generally considered interchangeable in common usage. UTC Is the primary standard by which the world regulates clocks and defines time.

6 Time Formats How measure time Time Zones
Time zones are defined based on their offset from UTC. The UTC time zone is centered on the Prime Meridian running through Greenwich, London, UK. You need to be aware of what timezone(s) your time stamps are from and adjust them as appropriate.

7 FILETIME FILETIME 64 bit format
Counts number of 100-nanosecond intervals since T UTC. Struct & definitions: us/library/ms724284(v=vs.85).aspx Most common time format File times Registry key LastWrite times ShutdownTime value in Registry System hive.

8 Unix Time Format 32 bit format
Records number of seconds since T 0000 UTC. Struct & Definitions: us/library/aa363646(VS.85).aspx Used in the TimeGenerated and TimeWritten values in .evt logs.

9 DOSDate 32 bit format 16 bits hold date 16 bits hold time
us/library/windows/desktop/ms724274(v=vs.85).aspx Found in shell items, Jump Lists, some registry keys.

10 String Format Similar to what users see when interacting with GUI elements. Stored in local system time after converting from UTC. Ex: “01/02/2010 2:42 PM.” IIS web server logs stored in this format (but with comma delimiters)

11 SYSTEMTIME Struct that records each individual time segment.
Stored in local system time after converting from UTC Found in some Registry values.

12 Applications Applications will choose their own time formats!
Just in case you thought Windows was already too standardized...

13 Concepts - Context & Granularity
Context: Correlating information from multiple data sources adding details to the activity around a specific event. Examining other activities occuring on the system at or near the time of the event we’re interested in. Ex. See that a file was loaded onto the system and then shortly thereafter another file was created in a suspicious location. In networked environments can build a timeline combining data from multiple systems and sources. Granularity: The level of detail on the timeline based on the data sources included. Each data source we add to a timeline increases the details available.

14 Relative Confidence A good timeline increases relative confidence in our data and conclusions Some data sources are more easily mutable than others. Generally, we put more confidence in a data source the less mutable it is. Timestamps in $STANDARD_INFORMATION attribute in the MFT can be easily modified using accessible APIs, but the $FILE_NAME attribute is less easily accessible. No API to change Registry key LastWrite times. All data sources for our timeline have a relative level of confidence that the timestamp information is correct. Use higher confidence data to corroborate lower confidence data.

15 Temporal Proximity Measure of how close events are in time.
In Analysis: High Temporal proximity helps establish context or relation between artifacts. In Triage / Investigation Most timestamp metadata only holds the most recent entry. Historical values are not retained When writing to a file the previous modified value is overwritten.

16 Temporal Proximity Investigations need to be made in close temporal proximity to the relevant incident in order to preserve timestamped data that be modified or overwritten by normal system activities. A large temporal gap can explain an apparent lack of indicators of specific activity.

17 Relative Times Our timeline is a series of discrete points.
But time is not a discrete set of points, it’s a continuous flow. A program does not execute at a specific time. It begins execution at a specific time, it continues execution, and it eventually halts at a specific time. We may not be able to recover all the artifacts covering the entirety of this timespan. Think about the types of relative times, before, after, and during.

18 Before & After Any discrete point in the timeline can be described as having occurred before or after any other discrete point. An event depending on another event cannot occur prior to the dependency. Ex. File System create time is the start point for all file system time points. File MAC times before file system creations have been falsified, intentionally or otherwise.

19 Before & After Consider the temporal dependency of the events you examine. Narrows down the scope of wear to search. Exposes additional information.

20 During Describes a set of time data with a finite beginning and end - an event with duration. Time of compromise - the window from initial intrusion to successful remediation. Windows between logins and logouts to logins. Helps manage the scope of investigation and filter out extraneous data.

21 Inferred Times Absolutely granular time points may not be available or are available but misleading. Inferred time is an estimated time frame reconstructed from other data. In Digital Forensics with Open Source Tools the author provides a detailed example of timelining a deleted file entry using inferred times on p

22 Embedded Times File metadata often includes temporal metadata, such as photo creation time in a picture. Embedded times can travel with files as they moves from system to system. Generally require separate tools or APIs to change compared to system artifacts. Can be recovered after deletion and removal of file system metadata structures. Embedded Inferred Time - can deduce information about file creation based on metadata fields. Ex, PDF files often contain name and version of software used to generate them.

23 Periodicity The time period between events.
The opposite of frequency - how often something occurs per unit of time. Very useful in searching for suspicious network traffic. Backdoor programs usually have a highly fixed period for communicating with their controllers. Though so do most auto-updaters.

24 Periodicity Variance in time periods Human activity will vary.
Automated traffic usually has very precise fixed intervals. Speed of time periods Automation and scripts far faster than humans. Correlate with other times What would you think of a lab machine accessed after hours every Thursday between 2300 and 0000?

25 Frequency Patterns and Outliers
Any activity that doesn’t match typical patterns. Least Frequency of Occurrence Malware authors and intruders usually want to minimize their footprint to avoid detection. Malicious activity is often the least frequent type of activity.

26 Frequency Patterns and Outliers
Least Frequency of Occurrence Look for the small anomalies, not massive spikes of activity Interested in the small, infrequent things we may not otherwise notice in all the noise on a system or infrastructure. Not looking for a needle in a haystack but instead looking for hey that doesn’t belong in the haystack Ex, to minimize changes attackers will often prefer to compromise existing user accounts rather than create new accounts. Though if create accounts to maintain persistence, what’s one account among thousands in an Active Directory?

27 Top Down versus Bottom Up
Some analysts prefer to use a kitchen sink approach Begin by including as much data in your timelines as possible. Then filter and parse until you sift out the most relevant data. Others prefer the bottom up approach Minimalist Build timeline one layer at a time as analysis continues. An analysts approach must be chosen based on the goals of the examination, the analyst’s comfort with their knowledge of the data and tools, any documented processes and procedures employed by the analyst, and the analyst’s preference.

28 Timeline Tools - Plaso Python based rewrite of the Perl log2timeline
Parses many different types of artifacts Windows Event Logs Windows Registry Windows Prefetch Browser History Anti-virus Logs Windows Filewall Pcap So much more

29 Timeline Tools - Plaso Creates a so-called “supertimeline” which combines results from many different sources. Documentation:

30 Plaso Architecture Four stages Preprocessing Collection Worker Storage

31 Plaso Preprocessing Stage
Collects the following: OS version Hostname Time Zone Information Default Applications Enumeration of all users and ports

32 Plaso Collection Stage
Goes over image, directory, or mount point and finds all files the tool can process. Option 1: recursively processes all files Option 2: If VSS (shadow copies) are used, a hash is calculated based on the MAC timestamps of each file. Only new, uncollected files included. Option 3: Targeted collection: only collects from a set of defined file paths and patterns.

33 Plaso Worker Worker Main part - monitors process queue and processes each file Actions for each file: Determine file type Determine which parser to apply Parse file and extract events Apply some set of defined filters Send extracted events to storage queue Determine if this file contains further files to process and if yes process them as well

34 Storage Stage Storage Events from storage queue written to disk

35 Plaso Framework Tools log2timeline Main command line frontend.
Extracts events from an image, mount point or file, and saves it into a Plaso storage file for future processing and analysis. Pinfo Allows extraction of information in a Plaso storage file. pprof Small tool of interest to developers trying to optimize parsers

36 Plaso Framework Tools preg Different frontend for the registry parser.
Parses an image or registry hive Provides a console or shell to work with the registry Pshell iPython console to the Plaso backend Provides user access to all Plaso libraries. Provides access to more advanced analysis, debugging, and experimentation.

37 Plaso Framework Tools Psort
Converts Plaso storage format to a human-readable form.

38 Using Log2Timeline Mount the image:
Typically: mount -o ro,loop,show_sys_files_streams_interface=windows,offset=<files_sy s_offset> <mount_location> Run log2timeline log2timeline-sift -z <examined_system_timezone> -p <partition> -i <image> Filter Timeline L2t_process -b timeline.csv MM-DD-YYY..MM-DD-YYY - k<keywords.txt> > filtered.csv

39 Using Log2Timeline In depth resources SANS log2timeline cheat sheet
Very useful Should already be in your SIFT workstation

40 Plaso in Practice Assume we have a hard drive image from an infected Win7 PC and seek to determine how the infection occurred. First we need to determine the partitions with Sleuth Kit mmls ~/mnt/image.dd Find NTFS offset at

41 Plaso in Practice Then build body file with log2timeline
log2timeline.py -p --parsers win7 -z UTC -o timeline.body ~/mnt/image.dd

42 Plaso In Practice We will use a dynamic output format which allows setting of filtering rules using SQL-like requests. Date Time Timezone Source Message User Host inode Filename MACB Timestampt_desc Parser

43 Plaso in Practice Assume we elsewhere found the suspicious file ZkPECED.exe. psort.py -q -o dynamic timeline.body “select date,time,timezone,macb,filename,inode where parser is ‘PFileStatParser’ and filename contains ‘ZkPECED’” Can see that two files ZkPECED.tmp and ZkPECED.exe created in \Users\Alina\AppData\Local\Temp directory at T 12:39:08 UTC.

44 Plaso in Practice Now determine where the file came from by searching events occurring within 10 minutes ten minutes psort.py -q -o dynamic --slice” :39:08” --slice_size 10 timeline.body “select date,time,timezone,macb,filename,inode where parser is ‘PFileStatParser’” | grep -iE “\/exe$”

45 Plaso In Practice Discover that just prior to the appearance of ZkPECED.exe the metadata of a file in the systemhost directory with suspicious name 24FC2AE3CB0.exe (indoe 46912) changed (meaning renamed or moved locally) even though MAC times refer back to 2010: psort.py -q -o dynamic timeline.body “select date,time,timezone,macb,inode,filename where parser is ‘PfileStatParser’ and inode==46912”

46 Plaso in Practice Use TSK’s istat to learn about 24FC2AE3CB0.exe
istat -o ~/mnt/image.dd See the timestamps in $STANDARD_INFORMA TION and $FILENAME do not maps, which likely indicates manually changed

47 Plaso In Practice Thus we can assume that the 24FC2AE3CB0.exe file (inode 46912) was created at 12:31:44 UTC and that it’s timestamps were changed “manually”, a likely sign of malware.

48 Python-evtx Open Source pure Python parser for EVTX files.
Provides programmatic access to File & Chunk headers, record templates, and event entries Available on github: /python-evtx Inspired by and based on the Perl Implemented Pare-Evtx. Install from pip: pip install python- evtx

49 Python-evtx Functions
evtxinfo.py prints metadata about the event log and verifies checksums in each chung evtxtemplates.py builds and prints the templates used in the event log evtxdump.py pasres the event log outputs human readable UTF-8 XML Author also produced EVTXtract, for carving EVTX files from binary data including unallocated space and memory images. Available at pip install evtxtract

50 Parse-evtx Perl based scanner
Available At: html

51 Native Microsoft Tools
Event Viewer wevtutil.exe Microsoft Log Parser Microsoft’s Log Viewing Tool Requires Windows OS to run. Uses native API for processing event files. So type of file analyzed must match the type the OS uses to logs. EVTX system can’t parse EVT.

52 The Sleuth Kit Makes timelines of the MFT
fls -o 63 -f fat -m / -r images/disk.dd > body.txt mactime -b body.txt [DATE_RANGE]

53 Highly Useful References
Digital Forensic SIFTing: SUPER Timeline Creation using log2timeline: sifting-super-timeline-analysis-and-creation Log2timeline cheatsheet: forensics.sans.org/media/log2timeline_cheatsheet.pdf SANS DFIR WebCast - Super Timeline Analysis:

54 More Reference Reading
pro/windows-server-2008-R2-and-2008/cc722404(v=ws.11) supertimeline-event-logs-part-i/ processing-super-timeline/ metadata-timeline-creation/

55 More Reference Reading
security-incidents-windows-workstation-event-logs-34262 introducing_the_microsoft_vista_log_file_format.pdf

56 Questions?

Download ppt "Timeline Generation and Analysis"

Similar presentations

Intel® RPIER 3.1 User Training Joe Schwendt Steve Mancini 7/31/2006.

Intel® RPIER 3.1 User Training Joe Schwendt Steve Mancini 7/31/2006.
OPEN SOURCE TOOLS Dr. Abraham Professor UTPA. Open Source Freely redistributable Provides access to source code End user may modify source code.

OPEN SOURCE TOOLS Dr. Abraham Professor UTPA. Open Source Freely redistributable Provides access to source code End user may modify source code.
Effective Discovery Techniques In Computer Crime Cases.

Effective Discovery Techniques In Computer Crime Cases.
1 Chapter 12 Working With Access 2000 on the Internet.

1 Chapter 12 Working With Access 2000 on the Internet.
File Management Systems

File Management Systems
Information Networking Security and Assurance Lab National Chung Cheng University F.I.R.E. Forensics & Incident Response Environment.

Information Networking Security and Assurance Lab National Chung Cheng University F.I.R.E. Forensics & Incident Response Environment.
Timeline Analysis Harlan Carvey: Windows Forensic Analysis Toolkit, Chapter 7.

Timeline Analysis Harlan Carvey: Windows Forensic Analysis Toolkit, Chapter 7.
Chapter 12 File Management Systems

Chapter 12 File Management Systems
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 8: Implementing and Managing Printers.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 8: Implementing and Managing Printers.
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 7: Planning a DNS Strategy.

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 7: Planning a DNS Strategy.
Hands-On Microsoft Windows Server 2003 Administration Chapter 6 Managing Printers, Publishing, Auditing, and Desk Resources.

Hands-On Microsoft Windows Server 2003 Administration Chapter 6 Managing Printers, Publishing, Auditing, and Desk Resources.
2004, Jei F.I.R.E. Forensics & Incident Response Environment Information Networking Security and Assurance Lab National Chung Cheng University.

2004, Jei F.I.R.E. Forensics & Incident Response Environment Information Networking Security and Assurance Lab National Chung Cheng University.
Check Disk. Disk Defragmenter Using Disk Defragmenter Effectively Run Disk Defragmenter when the computer will receive the least usage. Educate users.

Check Disk. Disk Defragmenter Using Disk Defragmenter Effectively Run Disk Defragmenter when the computer will receive the least usage. Educate users.
Security Guidelines and Management

Security Guidelines and Management
NovaBACKUP 10 xSP Technical Training By: Nathan Fouarge

NovaBACKUP 10 xSP Technical Training By: Nathan Fouarge
An Automated Timeline Reconstruction Approach for Digital Forensic Investigations Written by Christopher Hargreaves and Jonathan Patterson Presented by.

An Automated Timeline Reconstruction Approach for Digital Forensic Investigations Written by Christopher Hargreaves and Jonathan Patterson Presented by.
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 14: Problem Recovery.

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 14: Problem Recovery.
Course 6421A Module 7: Installing, Configuring, and Troubleshooting the Network Policy Server Role Service Presentation: 60 minutes Lab: 60 minutes Module.

Course 6421A Module 7: Installing, Configuring, and Troubleshooting the Network Policy Server Role Service Presentation: 60 minutes Lab: 60 minutes Module.
Objectives Learn what a file system does

Objectives Learn what a file system does
Mastering Windows Network Forensics and Investigation Chapter 12: Windows Event Logs.

Mastering Windows Network Forensics and Investigation Chapter 12: Windows Event Logs.

Similar presentations

Ads by Google