Presentation is loading. Please wait.

Presentation is loading. Please wait.

Timeline Analysis Harlan Carvey: Windows Forensic Analysis Toolkit, Chapter 7.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Timeline Analysis Harlan Carvey: Windows Forensic Analysis Toolkit, Chapter 7."— Presentation transcript:

1 Timeline Analysis Harlan Carvey: Windows Forensic Analysis Toolkit, Chapter 7

2 Time Line Analysis Lists all system events, files, browser activities in chronological order Multiple data sources Multiple systems Becoming very important in forensic analysis Approaches Automatically gather everything – Kristinn Gudjonsson : log2timeline Pick and choose – Harlan Carvey: This presentation

3 Carvey’s Approach Command line driven Multiple tools Guided by the objectives of the investigation Looking for system files with date/time info Biggest is in the MFT – $STANDARD_INFORMATION attribute Event logs Registry – every entry has time associated with it Browser logs

4 Get the Right Tools Windows Forensic Analysis Toolkit Harlan Carvey’s book Emphasis is on Windows 7 Get his tools for the book here http://code.google.com/p/winforensicaanalysis/downloads/list Sleuthkit Fls FTK Imager

5

6 Temporal Proximity The more current the time info is the more accurate it may be Because times may be altered multiple references to a particular time will increase the confidence in that time

7 TLN Format Pipe “|” delimited text file 5 fields Time | Source | System | User | Description Easy to parse The user and description fields are relatively free form

8 Time Field 32-bit Unix time format UTC Granularity to the second Not sufficient for time stomping analysis base of MFT times

9 Time Formats 64-bit FILETIME (UTC) Number of 100 nanosecond intervals since 1/1/1601 32-bit Unix time format (UTC) Number of seconds since 1/1/1970 String based format (local time) 01/01/2010 2:42 PM SYSTEMTIME (local time) Used some registry entries and some XP times

10 Time Format Most often used in Windows typedef struct _FILETIME { DWORD dwLowDateTime; DWORD dwHighDateTime; } FILETIME, *PFILETIME; BOOL WINAPI FileTimeToSystemTime( _In_ const FILETIME *lpFileTime, _Out_ LPSYSTEMTIME lpSystemTime ); typedef struct _SYSTEMTIME { WORD wYear; WORD wMonth; WORD wDayOfWeek; WORD wDay; WORD wHour; WORD wMinute; WORD wSecond; WORD wMilliseconds; } SYSTEMTIME, *PSYSTEMTIME;

11 Source Field FILE – file system create dates EVT – XP, 2000, 2003 event logs EVTX – Vista and 7 event logs REG – registry dates Etc.

12 System Field System name Host name IP Address MAC Address

13 User Field User associated with the event SID Users are often associated with registry entries

14 Description Field Brief description Sufficient information to evaluate significance Can include spaces and special characters Just no “|”s

15 Creating Timelines Usually from an acquired image Sources Your system http://www.cfreds.nist.gov/Hacking_Case.html http://www.forensickb.com/2008/01/forensic- practical.html http://www.forensickb.com/2008/01/forensic- practical.html – Have to convert E01 format to dd – Use FTK imager Requires ActiveState Perl 5.+ Sleuthkit

16 File Meta-Data Dead Box Use mmls to find partition C:\case>mmls –t dos –i raw WinSP2.001 Use fls to extract file metadata C:\case>fls –i raw –o 63 –f ntfs –r –p -m C:\ > bodyfile.txt -m C:\ use C:\ as the mount point in the output Extract relevant information from the bodyfile Use Carvey’s Perl script C:\case>perl bodyfile.pl –f bodyfile.txt –s Server > events.txt -s Server adds the server’s name to output

17 File Meta-Data Live System or Remotely Mounted Open FTK Imager Add image as an evidence item Right click on evidence item “Export Directory Listing”.csv file in case folder

18 The Directory Listing

19 Clean up the.csv File Change the root directory to C:\ Make it pretty Save it as a tab delimited.cvs file

20 Into Bodyfile Format Have to use Carvey’s ftkparse.pl script Perl c:\bin\Carvey\ftkparse.pl live-dir.csv > live- bodyfile.txt

21 Into TLN Format Have to use Carvey’s bodyfile.pl paraser Perl C:\bin\carvey\bodyfile –f bodyfile.txt –s LapTop > live-events.txt

22 Registry Data Registry key LastWrite times Contains a time line of user/system activity Some very useful tools regtime.Pl regripper

23 Add Registry Data to the Time Line System config in formation Devices that have been connected WAPs that a laptop had been connected to Files accessed (MRU lists)

24 Timeline Tools RegTime Parses key LastWrite times for all allocated keys within the specified hive file Regtime –r NTUSER.DAT –m HKCU/ -s Server –u User >> events.txt Regtime –r System –m HKLM/System/ -s Server >> events.txt

25 Regripper Timeline tools Using RegRipper’s rip CLI utility Get System name: C:\rip –r System –p compname Parse UserAssist data: C:\rip –r NTUSER.DAT –p userassist_tln –s Server –u User >> events.txt Note: A number of plugins output in TLN format

26 Event Logs into the TimeLine Windows XP Event Logs readily parsed Get AppEvent.evt, SysEvent.evt, SecEvent.ect – Into the TimeLine Evtparse –d >> events.txt Vista and Win 7 Much more info Includes driver installations – USBs, etc. C:\Windows\system32\winevt\Logs

27 Log Parser Log Parser is a good tool to parse Windows Event Logs Example: Logparser –i:evt –o:scv “elect RecordNumber,TO_UTCTIME(TimeGeneratde),EventID,Sou rceName,Strings from System” > d:\case\system.txt You can replace “System” with “d:\case\system.evtx” or “d:\case\.evtx” Parse the output Evtxparsed \case\system.txt >> events.txt

Download ppt "Timeline Analysis Harlan Carvey: Windows Forensic Analysis Toolkit, Chapter 7."

Similar presentations

Working with the Windows Registry Computer Club of the Sandhills November 12, 2012.

Working with the Windows Registry Computer Club of the Sandhills November 12, 2012.
Intro to WinHex CSC 414.

Intro to WinHex CSC 414.
CSN11121/CSN11122 System Administration and Forensics Windows Registry & Timeline

CSN11121/CSN11122 System Administration and Forensics Windows Registry & Timeline
OPEN SOURCE TOOLS Dr. Abraham Professor UTPA. Open Source Freely redistributable Provides access to source code End user may modify source code.

OPEN SOURCE TOOLS Dr. Abraham Professor UTPA. Open Source Freely redistributable Provides access to source code End user may modify source code.
Oregon Presented by: John Ritchie Date: August 9 th, 2011 – GFIRST7 INFECTED! Using the Oregon SIRT Malware Toolkit to Safely Determine Source, Vector.

Oregon Presented by: John Ritchie Date: August 9 th, 2011 – GFIRST7 INFECTED! Using the Oregon SIRT Malware Toolkit to Safely Determine Source, Vector.
Mastering Windows Network Forensics and Investigation Chapter 15: Forensic Analysis of Event Logs.

Mastering Windows Network Forensics and Investigation Chapter 15: Forensic Analysis of Event Logs.
Effective Discovery Techniques In Computer Crime Cases.

Effective Discovery Techniques In Computer Crime Cases.
The Sleuth Kit Brian Carrier Set of tools to analyze device images.

The Sleuth Kit Brian Carrier Set of tools to analyze device images.
Computer Forensic Tools. Computer Forensics: A Brief Overview Scientific process of preserving, identifying, extracting, documenting, and interpreting.

Computer Forensic Tools. Computer Forensics: A Brief Overview Scientific process of preserving, identifying, extracting, documenting, and interpreting.
RegRipper Harlan Carvey.

RegRipper Harlan Carvey.
Computer & Network Forensics

Computer & Network Forensics
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 5: Managing File Access.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 5: Managing File Access.
MIS 431 - Chapter 81 Ch. 8 – Implementing and Managing Printers MIS 431 – created Spring 2006.

MIS Chapter 81 Ch. 8 – Implementing and Managing Printers MIS 431 – created Spring 2006.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 5: Managing File Access.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 5: Managing File Access.
Hands-On Microsoft Windows Server 2003 Administration Chapter 5 Administering File Resources.

Hands-On Microsoft Windows Server 2003 Administration Chapter 5 Administering File Resources.
Computer Forensics Principles and Practices by Volonino, Anzaldua, and Godwin Chapter 6: Operating Systems and Data Transmission Basics for Digital Investigations.

Computer Forensics Principles and Practices by Volonino, Anzaldua, and Godwin Chapter 6: Operating Systems and Data Transmission Basics for Digital Investigations.
70-270, 70-290 MCSE/MCSA Guide to Installing and Managing Microsoft Windows XP Professional and Windows Server 2003 Chapter Nine Managing File System Access.

70-270, MCSE/MCSA Guide to Installing and Managing Microsoft Windows XP Professional and Windows Server 2003 Chapter Nine Managing File System Access.
Fall 2011 Nassau Community College ITE153 – Operating Systems Session 24 NTFS Permissions and Sharing Printers 1.

Fall 2011 Nassau Community College ITE153 – Operating Systems Session 24 NTFS Permissions and Sharing Printers 1.
Guide to Linux Installation and Administration, 2e1 Chapter 12 Printing in Linux.

Guide to Linux Installation and Administration, 2e1 Chapter 12 Printing in Linux.
MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 8 Introduction to Printers in a Windows Server 2008 Network.

MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 8 Introduction to Printers in a Windows Server 2008 Network.

Similar presentations

Ads by Google