Building Timelines – Tools Usage
Sunday, September 25, 2011
Tools are defined as anything that can be used to accomplish a task or purpose. For a tool to be effective some thought has to go into how to use it. I have a few saws in my garage but before I try to cut anything with them I first come up with a plan on what I’m trying to accomplish. Timeline tools are no different and their usage shouldn’t solely consist of running commands. The post Building Timelines – Thought Process Behind It discusses an approach to develop a plan on the way timeline tools will be used. This post is the second part where the tools to build timelines is discussed.
There is not a single tool for building timelines since tools vary based on the DFIR practitioner’s needs and preferences. When I first started learning about timeline analysis I read as much as I could about the technique and downloaded various tools to test their capabilities to see what worked best for me. I’m discussing my current method and a few tools that I build timelines with. The method is different from what I was doing last month and will probably change down the road as tools are updated, new tools are released, and my needs/preferences vary.
I’m trying to show different ways timelines can be built in addition to building my own timeline for an infected Windows XP SP3 test system. The artifacts selected for my timeline are: event logs, Internet Explorer history, XP firewall logs, prefetch files, Windows restore points, select registry keys, entire registry hives, and the file system metadata. The user specific artifacts (ie history and registry keys from the NTUSER.DAT hive) only need to be parsed for the administrator user account. The extraction of the timestamps from those artifacts will be accomplished in the following activities:
- Artifact Timestamps
- File System Timestamps
- Registry Timestamps
Tools’ Output
Before a timeline can be created one must first choose what format to use for the tools’ output. Selecting the format up front ensures multiple tools’ outputs can go into the same timeline. Three common output types are: bodyfile, TLN, and comma-separated value (csv). The bodyfile format shows file activity and separates the output into different sections. The version in use will determine what the sections are but the Sleuthkit Wiki bodyfile page explains the differences and provides an example. The TLN format breaks the data up into five sections: time, source, host, user, and description. Harlan provided a great description about his format in the post Timeline Analysis...do we need a standard? and in Appendum for the post TimeLine Analysis, pt III. The csv format stores data so it is separated by rows and columns. This format works well for viewing the timeline data in spreadsheets. However, unlike the bodyfile and TLN formats csv is not a standard format. The csv schema from tools may differ resulting in the need for additional processing for the outputs to go into the same timeline. Kristinn’s post Timeline Analysis 201 – review the timeline explains the csv schema used in his Log2timeline tool.
I mostly review timelines with spreadsheet programs so I opted for Log2timeline’s csv format. I use Log2timeline to convert other tools’ outputs into proper csv schema. My timeline in this post uses the csv format and I demonstrate how to convert between different formats.
Artifact Timestamps
I couldn’t come up with a good name when I was thinking about how to explain the different activities I do when creating timelines. What I mean when I say artifact timestamps is everything expect for the last write times from dumped registry hives and timestamps from the file system. The different tools to extract timestamps from artifacts include Harlan’s timeline tools and Log2timeline. Harlan accompanies his tools posted on the Win4n6 yahoo group with a great step by step guide about building timelines with his tools. I cover how to use Log2timeline and the following is a brief explanation about the tool’s syntax:
log2timeline.pl -z timezone -f plugin/plugin_ file -r -w output-file-name log_file/log_dir
-z defines the timezone for the computer where the artifacts came from
-f specifies the plugin or pluging file to run against the file/directory
-w specifies the file to write the output to
-r makes log2timeline work in recursive mode so the folder specified and its subfolders are all examined for artifacts
Options to Extract Timestamps with Single Plugin or Default Plugin File
Log2timeline is plugin based and the tool can execute a single plugin against a single file/directory or execute a plugin file against multiple files in directories. I prefer to use custom plugins for my timelines but first I wanted to show the single plugin and default plugin file methods. The command below will execute the evt plugin to parse the Security windows event log and the output will be written to a file named fake-timeline.csv.
log2timeline.pl -z local -f evt -w fake-timeline.csv F:\WINDOWS\system32\config\SecEvent.Evt
The single plugin method requires multiple commands to extract timestamps from different artifacts in a system. Plugin files address the multiple command issue since the file contains a list of plugins to run. Log2timeline comes with a few default plugin files and the best one that fits my selected artifacts is the winxp plugin file. The command below runs the winxp plugin file against the entire mounted forensic image (the red text highlights what is different from the previous command).
log2timeline.pl -z local -f winxp -w fake-timeline.csv –r F:\
The winxp plugin file makes things a lot easier since only one command has to be typed. However, the file parses a lot more data then I actually need. The plugins executed are: chrome, evt, exif, ff_bookmark, firefox3, iehistory, iis, mcafee, opera, oxml, pdf, prefetch, recycler, restore, setupapi, sol, win_link, xpfirewall, wmiprov, ntuser, software, and system. I only wanted to parse IE history but winxp is doing every browser supported by log2timeline. I only wanted to parse artifacts in the administrator’s user profile but the above command is parsing artifacts from every profile on the system. I wanted to limit my timeline to specific artifacts but winxp is giving me everything. Not exactly what I’m looking for.
Single plugins and default plugin files are viable methods for building timelines. However, neither let’s me easily build a timeline containing only my selected artifacts that were tailored to the case and system I’m processing. This is where custom plugin files come into play and why I use them instead.
Extracting Timestamps for my Timeline with Custom Plugin Files
Kristinn deserves all the credit for why I know about the ability to create custom plugin files. I’m just the guy who asked him the question and decided to blog the answer he gave me. A custom plugin file is a text file that lists one plugin per line and is saved with the .lst file extension. The picture is a custom file named test.lst and it contains plugins for prefetch files, event logs, and system restore points.
The custom file is placed in the same directory where the default plugin files are located. On a Windows system with Log2timeline 0.60 installed the directory is C:\Perl\lib\Log2t\input\.
I only want to parse artifacts in the administrator user profile instead of all user profiles stored on the system. At the time I wrote this post, Log2timeline doesn’t have the ability to exclude full paths (such as unwanted user profiles) when running in recursive mode. As a result I create two custom plugin files; one file parses the artifacts in a user profile while the other parses the remaining artifacts throughout the system. This lets me control what user profiles to extract timestamps from since I can run the user plugin file against the exact ones I need.
The user custom plugin file is named custom_user.lst and contains the iehistory and ntuser plugins. The other custom plugin file is named custom_system.lst and contains the evt, xpfirewall, prefetch, and restore plugins. The two commands below execute the custom_user.lst against the administrator’s user account profile and custom_system.lst against the entire drive while saving the output to the file timeline.csv.
log2timeline.pl -z local -f custom_user -w C:\win-xp\timeline.csv –r “F:\Documents and Settings\Administrator”
log2timeline.pl -z local -f custom_system -w C:\win-xp\timeline.csv –r F:\
There is not a single tool for building timelines since tools vary based on the DFIR practitioner’s needs and preferences. When I first started learning about timeline analysis I read as much as I could about the technique and downloaded various tools to test their capabilities to see what worked best for me. I’m discussing my current method and a few tools that I build timelines with. The method is different from what I was doing last month and will probably change down the road as tools are updated, new tools are released, and my needs/preferences vary.
I’m trying to show different ways timelines can be built in addition to building my own timeline for an infected Windows XP SP3 test system. The artifacts selected for my timeline are: event logs, Internet Explorer history, XP firewall logs, prefetch files, Windows restore points, select registry keys, entire registry hives, and the file system metadata. The user specific artifacts (ie history and registry keys from the NTUSER.DAT hive) only need to be parsed for the administrator user account. The extraction of the timestamps from those artifacts will be accomplished in the following activities:
- Artifact Timestamps
- File System Timestamps
- Registry Timestamps
Tools’ Output
Before a timeline can be created one must first choose what format to use for the tools’ output. Selecting the format up front ensures multiple tools’ outputs can go into the same timeline. Three common output types are: bodyfile, TLN, and comma-separated value (csv). The bodyfile format shows file activity and separates the output into different sections. The version in use will determine what the sections are but the Sleuthkit Wiki bodyfile page explains the differences and provides an example. The TLN format breaks the data up into five sections: time, source, host, user, and description. Harlan provided a great description about his format in the post Timeline Analysis...do we need a standard? and in Appendum for the post TimeLine Analysis, pt III. The csv format stores data so it is separated by rows and columns. This format works well for viewing the timeline data in spreadsheets. However, unlike the bodyfile and TLN formats csv is not a standard format. The csv schema from tools may differ resulting in the need for additional processing for the outputs to go into the same timeline. Kristinn’s post Timeline Analysis 201 – review the timeline explains the csv schema used in his Log2timeline tool.
I mostly review timelines with spreadsheet programs so I opted for Log2timeline’s csv format. I use Log2timeline to convert other tools’ outputs into proper csv schema. My timeline in this post uses the csv format and I demonstrate how to convert between different formats.
Artifact Timestamps
I couldn’t come up with a good name when I was thinking about how to explain the different activities I do when creating timelines. What I mean when I say artifact timestamps is everything expect for the last write times from dumped registry hives and timestamps from the file system. The different tools to extract timestamps from artifacts include Harlan’s timeline tools and Log2timeline. Harlan accompanies his tools posted on the Win4n6 yahoo group with a great step by step guide about building timelines with his tools. I cover how to use Log2timeline and the following is a brief explanation about the tool’s syntax:
log2timeline.pl -z timezone -f plugin/plugin_ file -r -w output-file-name log_file/log_dir
-z defines the timezone for the computer where the artifacts came from
-f specifies the plugin or pluging file to run against the file/directory
-w specifies the file to write the output to
-r makes log2timeline work in recursive mode so the folder specified and its subfolders are all examined for artifacts
Options to Extract Timestamps with Single Plugin or Default Plugin File
Log2timeline is plugin based and the tool can execute a single plugin against a single file/directory or execute a plugin file against multiple files in directories. I prefer to use custom plugins for my timelines but first I wanted to show the single plugin and default plugin file methods. The command below will execute the evt plugin to parse the Security windows event log and the output will be written to a file named fake-timeline.csv.
log2timeline.pl -z local -f evt -w fake-timeline.csv F:\WINDOWS\system32\config\SecEvent.Evt
The single plugin method requires multiple commands to extract timestamps from different artifacts in a system. Plugin files address the multiple command issue since the file contains a list of plugins to run. Log2timeline comes with a few default plugin files and the best one that fits my selected artifacts is the winxp plugin file. The command below runs the winxp plugin file against the entire mounted forensic image (the red text highlights what is different from the previous command).
log2timeline.pl -z local -f winxp -w fake-timeline.csv –r F:\
The winxp plugin file makes things a lot easier since only one command has to be typed. However, the file parses a lot more data then I actually need. The plugins executed are: chrome, evt, exif, ff_bookmark, firefox3, iehistory, iis, mcafee, opera, oxml, pdf, prefetch, recycler, restore, setupapi, sol, win_link, xpfirewall, wmiprov, ntuser, software, and system. I only wanted to parse IE history but winxp is doing every browser supported by log2timeline. I only wanted to parse artifacts in the administrator’s user profile but the above command is parsing artifacts from every profile on the system. I wanted to limit my timeline to specific artifacts but winxp is giving me everything. Not exactly what I’m looking for.
Single plugins and default plugin files are viable methods for building timelines. However, neither let’s me easily build a timeline containing only my selected artifacts that were tailored to the case and system I’m processing. This is where custom plugin files come into play and why I use them instead.
Extracting Timestamps for my Timeline with Custom Plugin Files
Kristinn deserves all the credit for why I know about the ability to create custom plugin files. I’m just the guy who asked him the question and decided to blog the answer he gave me. A custom plugin file is a text file that lists one plugin per line and is saved with the .lst file extension. The picture is a custom file named test.lst and it contains plugins for prefetch files, event logs, and system restore points.
Custom Plugin File Example |
The custom file is placed in the same directory where the default plugin files are located. On a Windows system with Log2timeline 0.60 installed the directory is C:\Perl\lib\Log2t\input\.
I only want to parse artifacts in the administrator user profile instead of all user profiles stored on the system. At the time I wrote this post, Log2timeline doesn’t have the ability to exclude full paths (such as unwanted user profiles) when running in recursive mode. As a result I create two custom plugin files; one file parses the artifacts in a user profile while the other parses the remaining artifacts throughout the system. This lets me control what user profiles to extract timestamps from since I can run the user plugin file against the exact ones I need.
The user custom plugin file is named custom_user.lst and contains the iehistory and ntuser plugins. The other custom plugin file is named custom_system.lst and contains the evt, xpfirewall, prefetch, and restore plugins. The two commands below execute the custom_user.lst against the administrator’s user account profile and custom_system.lst against the entire drive while saving the output to the file timeline.csv.
log2timeline.pl -z local -f custom_user -w C:\win-xp\timeline.csv –r “F:\Documents and Settings\Administrator”
log2timeline.pl -z local -f custom_system -w C:\win-xp\timeline.csv –r F:\
The commands extracted the timestamps from all of the artifacts on my list except for the entire registry hives last write times and file system timestamps. The picture shows the timeline built so far. The timeline is sorted and the section shown is where the prefetch file I referenced in the post What’s a Timeline is located.
Timeline Data Added by Custom Plugin File |
Filesystem Timestamps
The filesystem timestamps is concerned about adding the activity involving files and directories to the timeline. There are different tools that extract the information including FTK Imager, AnalyzeMFT, Log2timeline, and the Sleuthkit. I’m demonstrating two different methods to add the data to my timeline to show the differences between the two. The tools for the first method include the Sleuthkit and Log2timeline while the second method only uses Log2timeline.
The fls.exe program in the Sleuthkit will list the files and directories in an image. The command below creates a bodyfile containing the files/directories’ activity in the test forensic image and stores the output in the file named fls-bodyfile.txt. (the –m switch makes the output format mactime, -r is for recursive mode, and –o is the sector offset where the filesystem starts)
fls.exe -m C: -r -o 63 C:\images\image.dd >> C:\win-xp\fls-bodyfile.txt
Fls.exe’s output is in the bodyfile format but my timeline is in Log2timeline’s csv format. Log2timeline has plugins to parse output files in the TLN and bodyfile formats. This means the tool can be used to convert one format into another. The command below parses the fls-bodyfile.txt file and adds the data to my timeline.
log2timeline.pl -z local -f mactime -w C:\win-xp\timeline.csv C:\win-xp\ fls-bodyfile.txt
The picture highlights the new entries to the section of my timeline. Doesn’t the story about what occurred become clearer?
Timeline Data Added by fls.exe |
The file system in the Windows XP test system is NTFS. NTFS stores two sets of timestamps which are the $FILE_NAME attribute and $STANDARD_INFORMATION timestamps. Fls.exe along with the majority of the other forensic tools shows the $STANDARD_INFORMATION timestamps. However, there may be times when it’s important two include both sets of timestamps in a timeline. One such occurrence is when there’s a concern that timestamps might have been altered. Parsing the Master File Table ($MFT) can add both sets of timestamps to a timeline. The command below shows Log2timeline parsing the $MFT and adding the output to the file timeline-copy.csv.
log2timeline.pl -z local -f mft -w timeline.csv F:\$MFT
The picture below highlights the new entries for the data extracted from the $MFT. Notice the difference between the timeline only containing the $STANDARD_INFORMATION timestamps compared to containing both timestamps. Quick side note: the mft plugin could be added to a custom plugin file.
Timeline Data Added by $MFT |
Registry Timestamps
In the artifact timestamps section Log2timeline extracted data from select registry keys. However, there are times when I want all registry keys’ last write times from registry hives. So far I want this ability when dealing with malware infections since it helps identify the persistence mechanism and registry modifications. The tools to extract the last write times from registry hives include Harlan’s regtime.pl script (I obtained it from the Sift 2.0 workstation) and Log2timeline. For my timeline I’m interested in the System, Software, and administrator’s NTUSER.DAT registry hives. The commands below has regtime.pl extracting the last write times from each hive and storing it in the bodyfile file named reg-bodyfil.txt (the –m switch prepends the text to each line and the –r switch is the path to the registry hive).
regtime.pl –m HKLM/system –r F:\Windows\System32\config\system >> C:\win-xp\reg-bodyfile.txt
regtime.pl –m HKLM/software –r F:\Windows\System32\config\software >> C:\winxp\reg-bodyfile.txt
regtime.pl –m HKCU/Administrator –r "F:\Documents and Settings\Administrator\NTUSER.DAT" >> C:\win-xp\reg-bodyfile.txt
Regtime.pl’s output is in the bodyfile format so Log2timeline makes the format conversion as shown in the command below.
log2timeline.pl -z local -f mactime -w C:\win-xp\timeline.csv C:\win-xp\reg-bodyfile.txt
The picture highlights the new data added to the timeline with the Sleuthkit. The timeline now highlights the malware’s persistence mechanisms (run and services registry keys)
Timeline Data with Registry Keys' Last Write Times |
Sorting the Timeline
When new data is added to a timeline it’s placed at the end of the file which means the timeline needs to be sorted prior to viewing it. There are different sorting options such as the mactime.exe program in the Sleuthkit to bodyfile format timelines. A quick method I use is my spreadsheet program’s sort feature. The settings below will make Excel sort from the oldest time to the most recent.
Excel 2007 Sort Feature |
Summary
The approach described in my Building Timeline series is just one way out of many to create timelines. The DFIR community has provided a wealth of information on the topic. Look at the following examples which are only a drop in the bucket of knowledge. Harlan Carvey created and released tools for creating timelines in addition to regularly posting on his blog (a few posts are HowTo: Creating Mini-Timelines and A Bit More About Timelines...). Kristinn Gudjonsson is very similar in that he created and released log2timeline in addition to providing information on his websites (a few posts are Timeline Analysis 101 and Timeline Analysis 201 – review the timeline). Rob Lee has shared his approach in the way he builds timelines and two of his posts are SUPER Timeline Analysis and Creation and Shadow Timelines And Other VolumeShadowCopy Digital Forensics Techniques with the Sleuthkit. Chris Pogue has shared his method to create timelines on his blog and a few posts are Log2Timeline and Super Timelines and Time Stomping is for Suckers. The last author I’ll directly mention is Don Weber who released his scripts for creating timelines and blogged about creating timelines (one post is Hydraq Details Revealed Via Timeline Analysis). These are only a few tools, blog posts, and authors who have taken the time to share their thoughts on timeline analysis. To see more try the keyword “timeline” in the Digital Forensic Search to see what’s out there.
For anyone looking to become more proficient at the timeline analysis then I recommend to do what I did. Read everything you can find on the topic, download and test the different tools people talk about, and try out different approaches to see how the resulting timelines differ. It won’t only teach you about timeline analysis but will help identify what method and tools work best for you.
Labels:
malware analysis,
timeline,
timestomping
Corey, I keep finding myself wandering back to your site for great Timeline info!! Keep up the Great work..
Rob
Corey, what tool did you use here to mount the image so the $MFT was available to log2timeline. Nice article by the way. Thank you.
Anon,
I used FTK imager and selected the filesystem option. This feature is hit or miss; more miss than hit actually. However, on my personal systems I run Deepfreeze and FTK imager works almost every time. Right now I export out the $MFT and parse that separately. At work I mount it with Encase