Reviewing Timelines with Calc

Monday, November 22, 2010 Posted by Corey Harrell 3 comments
At one point I could have been considered a blog stalker. By this I mean I would follow and read numerous blogs without ever providing feedback to the author. I wouldn't contact them offline and I wouldn’t leave a comment on their blogs. The only indication of my presence would appear in the website’s statics as a unique visitor on a certain day. During my stalking days I didn't realize how valuable feedback was to an author about the information they are sharing. I also didn't realize how comments on a blog post could help start discussions or help point to other areas of further research and testing.

I mention this because an anonymous reader asked a question to my post Reviewing Timelines with Excel. The reader wanted to know if Calc (spreadsheet program in the OpenOffice suite) could be used to review timelines similar to Excel. I didn't know the answer to this question since I 'm not that familiar with Calc. However, it was a great question and I wondered how Calc compares to Excel as a tool for reviewing timelines. The purpose of this post is to compare the functionality of Calc against Excel as it relates to reviewing timelines.

The first thing I needed to know before I spent the time testing Calc was the maximum number of rows supported by the program. The maximum number of rows for a spreadsheet program is important for reviewing timelines because all of the timeline data has to included. I didn't want to waste my time testing Calc if it couldn't handle the potential large datasets created by timelines. For example, the timeline I'm using in this post was from a Windows XP SP3 virtual machine that only had Adobe Reader and Java installed. This timeline still had over 100,000 rows. Excel started supporting over a million rows with the release of Excel 2007 (prior versions of Excel only supported about 65,000 rows). The latest version of Calc at the time of this post was version 3.2.1 and this version only supports about 65,000 rows. I attempted to load a timeline into Calc v3.2.1 and the data was truncated to 65,000 rows resulting in half of my data being lost. However, OpenOffice version 3.3.0 is available for download and this version supports over a million rows. (I tested OpenOffice v3.3 Release Candidate 4)

The comparison can be made between Calc and Excel since Calc can handle the large datasets involved with timelines. Calc will be compared to Excel using the different functionality I covered in the post Reviewing Timelines with Excel. The following are the four areas being compared:
     * Importing Data
     * Filters
     * Advanced Filters
     * Find

Side note: I will be using the timeline from the post How Did the System Become Infected Part 2. The keywords I will be using are aaclientt.exe and 75622830.exe since these were two rogue processes identified running on the system. The Excel pictures I'm using as a comparison are from the Reviewing Timelines with Excel post.

Significant Differences
I noticed two significant differences between Calc and Excel 2007 (besides Calc being free while Excel costs money). The first difference was Calc’s ability to support regular expressions in the filter and find functionality. Regular expressions enable you to create more powerful filters or searches. Excel 2007 supports the usage of two symbols in variables when applying a filter or performing a search. The symbols supported are the question mark (?) to represent any single character and the asterisk (*) to represent any series of characters. It appears Excel can support regular expressions using macros but this isn't an option for me (I would prefer to learn Perl or Enscripting instead of Visual Basic which would be needed to write a macro). The help file in Calc outlines all of the expressions supported but the image below shows the first four regular expressions listed in the help file.

The second difference is Calc supports three types of filters while Excel 2007 only supports two filters (filters and advanced filters). The picture below shows the three types of Calc filters.

Importing Data
Timelines in csv files can be opened directly using a spreadsheet program. However, I have had issues with trying to add edits to timelines by directly opening the csv file in Excel. As a result, I started importing the csv file as a comma delimited file. I haven't fully tested Calc so I don't know if the same issue would be encountered but I wanted to compare how Calc imports a csv file. The process in Calc to import a text file as a comma delimited file is very similar to performing the function is Excel. There are only a few slight differences between the two programs as I’ll demonstrate.

To import a csv file select Insert > Sheet From File as shown below.

An Insert window will appear with a browse option which lets you locate and select the file to be imported. Calc will automatically detect the file as a text file and will display the Text Import window. The picture below highlights the options to import the timeline csv file as a comma delimited file. Once the options are selected then OK can be clicked in order to import the data.

For a comparison I included the image of Excel importing a csv timeline as a comma delimited file.

Autofilters
I think the autofilter filter is not useful for reviewing timelines. Autofilter only lets you select a variable from an automatically generated list and there isn't an option to type in your own variable. This is why I think the standard and advanced filters are better choices when working with timelines. I'm still briefly discussing the autofilter functionality in order for the comparison between Calc and Excel to be complete.

To activate the autofilter filter select Data > Filter > Autofilter. A dialog will appear stating there isn't a column header and the first line can be used as the header.

Drop down arrows will appear in the first row when the autofilter is activated as shown below.

To apply a filter, the drop down arrow has to be used in the column the filter is being applied to. To test the functionality I applied a filter to the File Name column. The picture below shows the automatically generated values that can be used in the filter.

Notice in the picture above that the entire data in the File Name column has to be used for the filter. I think this isn't feasible for reviewing timelines because it will only show the rows with that exact value. I usually want to apply filters using keywords since this will show me all of the rows containing the variable. For example, selecting the value HKCU-Administrator only shows the rows containing that exact value as shown below (notice the slight change in the drop down menu indicating a filter is applied).

To remove the filter select Data > Filter > Remove Filter.

The picture below shows autofilter icon being shaded indicating the filter is turned on. To deactivate the autofilter select Data > Filter > Autofilter.

Standard Filter
Calc's standard filter is the equivalent of Excel's regular filter. However, Calc has the ability to filter on eight different variables combining them with or/and operations while Excel only supports filtering on two variables. As I stated previously, Calc also has the ability to support regular expressions in filters. I think the combination of regular expressions and eight different variables makes Calc a viable alternate to Excel's filter functionality including Excel’s advanced filters using less than eight variables. Accessing the standard filter option (select Data > Filter > Standard Filter) brings up the Standard Filter window as shown below.

A standard filter has three parts which are field name (column to filter on), condition, and value (variable). To demonstrate functionality of a standard filter I will apply a filter for aaclient to the file name column. To select the file name column use the drop down arrow in the Field Name box as shown below.

The condition I'm using is the contains option since it will show all of the rows containing the variable aaclient. The picture below shows the various conditions that could be used in filters.

 Lastly, the variable aaclient has to be typed into the Value box. The filter I'm applying to the timeline only has one variable but Operator’s drop down menu enables up to eight variables to be included in a filter. The picture below shows the two operations available.

At this point this point the filter is configured and can be applied by pressing the OK button. The picture below shows a portion of the timeline with this filter applied.

The filter I demonstrated was pretty basic so it didn't show all of options available in standard filters. These options can be accessed by using the More Options button located in the bottom left of the Standard Filter window. The picture below shows the additional options (note: the regular expressions option needs to be selected in order to use regular expressions).

As I mentioned previously, Calc's standard filter is the equivalent of Excel's regular filter but Calc has additional options. The Calc Standard Filter window above can be compared to Excel's Custom Autofilter window below in order to see the differences between the two programs.

Advanced Filter
Calc's advanced filter is the equivalent of Excel's advanced filter. With the exception of Calc supporting regular expressions, the advanced filter functionality between both programs is very similar. Just like Excel, a database has to be setup in a worksheet in order to use advanced filters. The top row with the column names can be copied and pasted into an area of the worksheet not containing timeline data. The picture below shows I setup the database two rows below the timeline data.

The advanced filters in Calc work the same way as Excel. The variable(s) is placed under the column(s) to be filtered on and variables can be combined using the and/or operations. The and operation is when both variables are on the same row while the or operation is when the variables are on different rows.

Side note: To apply an advanced filter using the contains condition requires the symbols for any series of characters to enclose the variable. In Excel the asterisk (*) symbol was used and the final variable looks like *this*. In Calc two symbols have to be used to accomplish this. The first symbol is the period (.) since it represents any character while the second symbol is the asterisk (*) since it finds zero or more characters of what is preceding the asterisk. The final variable looks like .*this.*

Applying a filter is similar to Excel. Variable(s) are placed under the desired column then any cell containing timeline data is selected followed by selecting the advanced filter (Data > Filter > Advanced Filter). The picture below shows the Advanced Filter window containing a filter. This filter will only display rows containing a newly created file and the word aaclientt.

In the Advanced Filter window above, notice the filter criteria matches the filter in the database (A165360:H165361). The filter contains regular expressions so the regular expressions option must be selected using the More button. The picture below shows the option being selected.

The filter can be applied once the filter criteria is verified and all desired options are selected. The picture below shows the timeline data with the filter applied.

To continue demonstrating the similarity between Calc and Excel's advanced filters I'll show the timeline data with two filters applied. The picture below is the timeline data with a filter containing an and statement applied (I included the advanced filter window so the filter criteria can be seen).

The picture below is the timeline data with a filter containing an or statement applied (again the advanced filter window was included in the screenshot).


Find
Calc supports the ability to find the next instance of a variable or to find all instances of a variable. The find next option in Calc is very similar to Excel but the find all option in Calc doesn't provide you with a quick method for reviewing all of the rows with the variable(s) like Excel. I will first demonstrate the find next functionality then I will demonstrate the find all functionality. To access Calc’s find and replace functionality you can use CTRL + F, select Edit > Find & Replace, or click the find and replace icon (binoculars image) as shown below.

The picture below shows the options available in the Find and Replace window. Similar to the filters, the regular expression option must be selected if the variable contains regular expressions. The Find button is used to find the next instance of the variable while the Find All button will find all instances of the variable in the timeline.

The picture below shows how Calc finds the next instance of the variable aaclient.

The similarities between Calc and Excel can be seen by comparing the picture above with the below picture of Excel’s find next window.

Using the same variable, I selected the Find All button to demonstrate this functionality. The only visible difference with using find all is the background color of the box containing the variable changes.

You have to browse the timeline in order to find the other instances of the variable. I think this is a significant difference compared to Excel because the manual browsing makes it more challenging when working with a large dataset since a row could be overlooked. The picture below shows two other rows containing the variable aaclient.

Calc’s find all functionality is the one area I felt was lacking when compared to Excel. Excel provides a way to quickly locate all of the instances which makes examining the timeline faster and more efficient. The picture below shows how Excel provides this ability to quickly locate rows containing the variable being searched for.

Conclusion
Every tool has its advantages and disadvantages. In one instance a tool may better suit your needs while in a different situation another tool may be the better option. Calc is just another tool that can be used to review timelines and it will have a place in my toolbox.

I wanted to thank the anonymous reader for posting their comment. Not only did I find the comparison of Calc and Excel to be interesting but I also learned how to review timelines with the program.
Labels: ,

Attack Vector Artifacts

Tuesday, November 9, 2010 Posted by Corey Harrell 1 comments
An investigation into a compromised system may involve answering various questions such as how did this occur or what security controls failed. To answer either question I think you would have to identify the point of unauthorized access. For example, did the incident originate from a user opening a malicious email attachment, did a user visit a malicious website or did someone just have physical access to the computer. I think you have to determine the attack vector used in order to identify the point of unauthorized access.

SearchSecurity defines an attack vector as "a path or means by which a hacker (or cracker) can gain access to a computer or network server in order to deliver a payload or malicious outcome". Using this definition, the attack vector can be broken down into three separate components. The path or means is the exploit used, the payload is the outcome of the exploit, and the delivery mechanism is what delivers the exploit and/or the payload to the target. I know the definition lumps the delivery mechanism and exploit together to make up the means but I think these need to be separated in order to understand the artifacts left on a system. For example, the exploit could be a malicious PDF but the delivery mechanisms such as an email or a website would leave different artifacts on a computer. Exploits, payloads, and delivery mechanisms may leave artifacts on a compromised system and these artifacts could be used to identify the attack vector used.

Exploit
SearchSecurity defines an exploit as "an attack on a computer system, especially one that takes advantage of a particular vulnerability that the system offers to intruders". Exploits can target vulnerabilities in operating systems or applications. Exploits can also target a feature for malicious purpose such as the Windows auto-run feature. There is information available about exploits but the one perspective I don’t see often (or have been unable to find) is the digital forensics point of view. For example, over the past few weeks there have been articles or posts about Java vulnerabilities being targeted more than PDFs, an unpatched Internet explorer vulnerability being added to the Eleonore exploit pack, and a zero-day Adobe flash vulnerability. Despite all of the information about these vulnerabilities being exploited, I have not seen any information about the artifacts left on a system from these vulnerabilities being exploited. If Java is being exploited then what are the artifacts left on a system which point to this attack vector. How does this attack vector compare to an attack targeting Adobe flash. Knowing the exploit artifacts left on a system could be one piece of the puzzle to identifying the attack vector.

Payload
SearchSecurity defines a payload as "the bits that get delivered to the end user at the destination". The payload of an attack can range from unauthorized access to remote code execution to denial of service to escalation of privileges. I think this is an area where there is a wealth of information about the artifacts from common payloads. Take malware as an example. There is a significant amount of information about the artifacts left on a system by malware because of the malware reverse engineers, security bloggers, security companies, antivirus companies, and books.

Delivery Mechanism
The third part of the attack vector is the delivery mechanism which delivers the exploit and/or payload to the target. The delivery mechanisms could include email, removable media, network services (such as file sharing), physical access, or the Internet. Artifacts could be present on a system from the delivery method used to send the exploit or payload. Take the example of a PDF containing an exploit which downloads a piece of malware. The artifacts left by the malicious PDF and the malware would remain consistent between different attacks but the artifacts left by the delivery mechanism would vary. For example, the PDF being delivered by email would leave different artifacts then the PDF being delivered by a website. Similar to the exploits, this is also one area where there isn't a lot of information from the digital forensics point of view.

How Could these Artifacts Help?
Artifacts could be categorized under the three components of the attack vector. The three components could be further subcategorized until you get to the most basic level. To illustrate I will show a potential way for the delivery mechanism to be broken down to a basic level so the artifacts could be documented. The category at the top would be the three attack vector components.

The subcategories of the delivery mechanism would be the various ways for exploits and payloads to be delivered to a target system. A few examples are shown below.

These subcategories could be further broken down into more subcategories. For example, the email category could be separated into web email or email using a client application. The common email attack techniques such as clickable links or file attachments would be underneath the web mail and client application categories. This would be the basic level that could be examined to determine what artifacts are left on a system by these attack techniques. For example, what are the artifacts if a user opens an email attachment or clicks a link using a web email client or an email application? How would both of these techniques appear in a timeline?

To further illustrate how a category could be broken down to a basic level the picture below shows a potential way to subcategorize the Exploit category.

Subcategorizing until you get to the most basic level would allow you to document the attack vector artifacts. For me, having a resource that outlines these artifacts would be very helpful. I could use it as a guide in order to gain a basic understanding of the different types of attacks and the artifacts left by those attacks. The artifacts could be combined together to illustrate how a certain attack may appear on a system. For example, the artifacts left by an Microsoft Word exploit could be combined with the artifacts of a user opening an email attachment to show what it might look like if a user opened a malicious Word document email attachment. Besides using this resource for learning purposes, I could also use it as a reference during an examination of a system. For example, if a timeline shows activity on a system then the resource could help validate what I’m seeing. I could have used this type of resource to better understand the Windows Help Center vulnerability during the examination of the system in my post Anatomy of a Drive-by Part II.

This has been an area I have been considering for a few months but I haven't had the time to pursue it. However, I think it would be a good learning exercise to try to document the artifacts of a few exploits and delivery mechanisms so I'm making it a point to find the time. Anyone have any thoughts or comments about trying to document the artifacts from the common attack vectors?
Labels:

Reviewing Timelines with Excel

Wednesday, November 3, 2010 Posted by Corey Harrell 4 comments
Generating timelines used to be a manual method for me until I started to use Harlan Carvey's timeline tools and Kristinn Gudjonsson's log2timeline. I finally saw the light of the power of a timeline because the tools allow for the automated generation of timelines. This enabled me to focus on how to apply this technique in different types of investigations. My next step was to determine how to review the timelines and two methods that can be used are Grep and Microsoft Excel. The purpose of this post is to provide a tutorial on how to use Microsoft Excel 2007 to review timelines.

Grep and Excel both have the ability to examine timelines and to create custom timelines to display certain types of data. However, I prefer to use Excel over Grep because Excel allows me to keep track on my timeline examination. I can create a separate column for notes or I can highlight rows or text containing items of interest. I can even use a color scheme to highlight groups of rows that are related. For example, if a system is infected with two pieces of malware then I can use a certain color for each malware to highlight the rows associated with that malware. The following are various activities for reviewing a timeline with Excel.

* Getting Started
* Importing Timeline Data into Excel
* Filters
* Advanced Filters
* Find

Custom timelines can be created using Excel filters while the Find function can be used to examine the timeline. In my limited experience with timelines, I find there isn't a set order for these activities since the investigation will dictate what needs to be done. Sometimes I start out examining the timeline with Find while at other times I first create custom timelines in order to narrow down where to start examining the timeline with Find. This post will show the functionality of Excel filters and demonstrate how Find can be used for examinations.

Getting Started
The timeline first has to be generated and stored in the csv file format. I'm not going to discuss the creation of timelines but the following sites have information on the topic: Windows Incident Response blog, Log2timeline website, and the SANs forensic blog. One of the decisions that has to be made when creating timelines is to decide what data to include. The approach I take is to make a judgment call about the artifacts I might need based on the type of investigation and a few quick checks on the computer being examined. I include all of these artifacts in one timeline then I create custom timelines by applying Excel filters.

For this post, I didn't have the time to setup a scenario and a test system so I am using the image of the computer I referenced as Infected 1 in the post Is the System Infected. The timeline was created using tools in the Sift workstation including the Sleuthkit, regtime.pl, and an updated version of timescanner.

Side note: Kristinn Gudjonsson was kind enough to provide assistance to a complete stranger. He pointed out I was using an older version of log2timeline and helped me upgrade to the latest version. Timescanner now has an input module which allows you to specify what artifacts to include in the timeline instead of including everything. This is awesome; not only is timescanner faster but specifying only the artifacts you need speeds up the generation of timelines.

Back to the post, to review the timeline you should have a lead. This lead can come from numerous places such as a person’s statement, a website of interest, antivirus log, intrusion detection system alert, examination of a computer's auto-start locations or the examination of a computer's volatile data. The lead I'm using for this post came from the examination of volatile data. The examination located a few suspicious items which were the asr64_ldm.exe process, _VOIDd.sys driver, and DLLs with names starting with _void.

Importing Timeline Data into Excel
The timeline in the csv file can be directly opened by using Excel. However, I have had issues with trying to add edits to the timeline using this method. To avoid these issues I now import the csv file as a comma delimited file. (Note: selecting comma delimited results in rows containing commas being separated into different columns but I found the information I need to filter on still appears under the filename column. An example of a row containing commas is the parsed Windows event logs.)

The following steps outline how to import the csv file into Excel.

The Excel program needs to be opened first. The area to import external data is located on the Data Ribbon. The option to get data from a text file is required for a csv file.

The picture below shows the default option is to select the Fix Width. The issue with the Fixed Width is that the data is not separated into different columns as highlighted in the red box below.

The option for Delimited needs to be selected instead of using the default Fixed Width.

After you select the Delimted option the next page allows you to set delimiters in the data. I found using the comma delimiter separates the timeline data into the correct columns as shown below.

At this point the Finish button can be selected to import the csv file. Excel will prompt about where to import the data and the default selection of the existing blank worksheet is fine. The process may take a few seconds to a couple of minutes.

Filters
I mostly use filters to create custom timelines or to see relationships between data with the noise suppressed. Excel has two filter functions which are filters and advanced filters. Both filters can be accessed on the Data Ribbon.

Clicking the Filter icon activates Excel filters and the top row of the spreadsheet now has drop down menus for each column.

The drop down menu lets you apply a filter to the data in that column. A text filter can be applied to the column in order to create a custom timeline of your choice. For example, "event log" or "internet history" can be filtered under the File Name column to create a timeline of just the event logs or Internet usage while "March 11 2010" can be filtered under the Date column to create a timeline for March 11, 2010. The picture below shows the options for a text filter.

As you can see there are different types of text filters. To demonstrate this functionality I selected the Contains option underneath the File Name column. This brings up the Custom Autofilter window which allows you to specify only two variables for your filters. The limitation of two variables is why advanced filters are required. Two wildcards are available for filters which are the ? for a single character or the * for a series of characters. The picture below shows I am only using the word prefetch to only show rows containing this word.

The rows' numbers turn to blue indicating a filter is applied. Also, the column’s drop down arrow is changed to the filter icon. Both of these changes can be seen in the picture below.

If desired, a filter can be applied to the other columns that still have the drop down arrow. For example, I can apply a filter for ???b to the type column to further filter the data so only items that have been created are shown. The picture below shows there are two filters applied.

To remove the filters just click the Clear icon which is next to the Filter icon on the Data Ribbon. Click the Filter icon again in order to turn off the filter functionality.

Advanced Filters
I started looking into advanced filters when I wanted to create a custom timeline to show someone's Internet activity involving downloading numerous files. Basically, I wanted to use a combination of variables involving file names, folders, folder paths, parsed artifacts, and dates to create the timeline (I wanted to filter using about 20 different variables in the Date and File Name columns). I couldn't use the Excel filters since only two variables can be used so I started to look into advanced filters when I came across Excel Advanced Filter Introduction.

To use advanced filters you first have to set up a database within the worksheet. You can use the headings of the column you want to filter on but I find it easier to copy the entire top row right away so I don't have to change it later.

The database has to be setup outside of the data in the worksheet but I usually place it below the timeline data. The picture below shows the database is separated from the timeline data.

I use advanced filters in order to string together different functions (or/and) with different variables. The and statement is when the variables are on the same row. The picture below is the filter showing the row must have ???b under the Type column and prefetch under the File Name column. The asterisk is required around the word prefetch in order to filter on rows which contain the word prefetch.

The or statement occurs when the variables are on different rows. The picture below shows the filter to only show the rows with asr64_ldm or _void under the File Name column.

Another example of the or statement is below. This statement only wants to show the rows which have Mar 12 2010 under the Date column or Event Log under the File Name column.

Once the database is setup with the filter you want to apply then the next step is to apply the advanced filter. This will be demonstrated using the search for asr64_ldm or _void under the File Name column. First select a cell containing timeline data (this can be any cell containing the timeline data) then select the Advanced icon on the Data Ribbon.

The Advanced Filter window will appear with the default option to filter the list in place. You have the ability to copy the filtered data to another worksheet but this tutorial will be filtering the list in place. Excel should automatically detect the List Range but this can be verified by scrolling down to the last line of the timeline data. The List Range value should contain all of the rows and columns with timeline data (note the filename will be column H but Excel will have a higher column due to selecting comma delimited when importing data). The picture below shows the last row containing timeline data matching the last row in the List Range.

If all of the timeline data is reflected in the List Range then the Criteria Range needs to be verified. Excel may automatically detect this but the Criteria Range Excel detected for me was the previous filter I used. To configure the filter change the Criteria Range to match your filter. For example, the current selection is $A$157121:$A$1571 which is saying the filter is column A row 157121. This filter needs to be changed to show column H rows 157121 to 157123.

The Criteria Range value can be deleted then with your mouse you can first select cell H:157121 then hold down the shift key and select cell H:157123. This is shown below (note: the same way would be used to select a filter spanning multiple columns except the first cell would be under the first column).

The OK button can be selected once the Criteria Range value is configured. The picture below shows a portion of the filter being applied to the data. As you can see, the filter shows the persistence mechanism for _voidd.sys is a service and asr64_ldm.exe was created on 03/12/10 at 11:29:06.

Find
I use Excel filters to create custom timelines or to see relationships between data while I use the Find funtion to examine the timeline since filters hide some the activity around an item of interest. To open the Find and Replace window you can use the key combination of CTRL and F or select the Find icon on the Home Ribbon. The picture below shows the Home Ribbon.

The Find and Replace window has the ability to find the next occurrence of a keyword or to find all occurrences of a keyword. This is accomplished by either selecting the Find Next or Find All option.

The Find Next option will be shown first by searching for the keyword asr64_ldm.exe. This search is only being performed to show how it works since the examination will use the Find All option. The picture below shows the search selects the first row containing asr64_ldm.exe.

I mostly use the Find Next option to determine if a keyword is present in the worksheet. For example, an antivirus scan might have been used to clean a system so I may search on the name of the malware to determine if the name is present anywhere else on the computer. I think the Find All option is the better method to examine the timeline since it not only enables you to quickly move around in the timeline but it's easier to review the activity around a keyword. The examination will start by first reviewing the initial programs of interest which are asr64_ldm.exe, _void.sys, and the DLLs' names starting with _void to determine which appeared first on the computer. The picture below shows the find All option being used to locate all occurrences of asr64_ldm.exe. As was mentioned previously, asr64_ldm.exe was created on 03/12/10 at 11:29:06.

The Find All option was used to search for the rogue driver _voidd.sys and this is shown below.

The Find All option was used to search for the rogue DLLs on the computer and this is shown below. The Find and Replace window shows the DLLs appear on the system after the _voidd.sys driver.

The _voidd.sys driver appeared on the system at 11:29:28 and this was 22 seconds after asr64_ldm.exe. This means the initial focus should be on the activity prior to asr64_ldm.exe appearing on the system. The Find All option was used to find the first occurrence of asr64_ldm.exe.

The activity before the first occurrence of asr64_ldm.exe shows that the administrator user account accessed a file called update.exe as can be seen in the picture below.

The Find All option was used to search for all references to the update.exe file on the computer. One of the interesting hits shows update.exe is associated with a website visited by the Administrator user account.

Advanced Filters during Examination
As I mentioned previously, I use advanced filters in order to see relationships between the data. The brief examination using the Find function identified a suspicious program being launched a few seconds before the first malware appeared on the system and this suspicious program is associated with the Internet. An advanced filter can be used to see the relationships between the data.

The picture below shows the filter being applied to see this relationship by using a combination of and statements being linked together by or statements. For example, Internet Explorer history or Temporary Internet Files folder activity for March 12, 2010 will appear in the timeline. The Criteria Range value for the filter in the picture below is Sheet1!$A$157121:$H$157132. (Note: I also included in the filter and statements to see the Prefetch folder activity and all files created on 03/12/10 at 11:28 or 11:29.)

The applied filter shows there wasn’t much Internet activity before update.exe being accessed since there were only two websites accessed. The website that stands out is highlighted in red.

The picture below shows a portion of the timeline with activity involving this website.

The examination isn't even close to being complete but I hope I was able to demonstrate how Excel could be used to review timelines. Excel provides you with the ability to create custom timelines, view relationships between data, or examine timelines.

I hope this tutorial has been helpful.
Labels: ,