August 24, 2014

Timeline Creation - Part 2 (Super Timeline)

Timeline Creation - Part 2 (Super Timeline)

As promised in my previous blog post I would be moving on to create a Super Timeline and my reasons for carrying this out after the filesystem timeline is purely down to the time it takes to process.

The super timeline is a suitable name as it is a very powerful analysis tool.  The problem with it though is the sheer amount of information it can contain! It is very important when working with a super timeline to have a pivot point to allow you to narrow down the time frame you are interested in.  If you are lucky this can be when your IDS fired or if not then by speaking to the victim.  But generally in the world of DFIR we are the last to know and it is weeks after the incident!

For this blog I am going to use an image that I created whilst doing some research into RDP sessions on an XP box.  I created the image within a VM and used FTK imager to acquire it into a .001 (DD)

Rather than mount it within the SIFT workstation I actually used FTK imager to mount the image as a physical/logical drive using the File system/Read only mount method.  The Drive letter which gets assigned is already shared within the SIFT workstation.

The first thing I want to do is gather the timeline data and write it into a bodyfile which we will be able to process further in a later step.  To do so I used a tool called log2timeline-sift which allows the analyst to automate the creation of a timeline.  Its a tool I was introduced to on my SANS 508 course and one I have enjoyed using.

As a sidenote the author of the tool Kristinn Gudjonsson has carried out a lot of  work in this area and has produced an excellent set of tools for timelining based around the python programming language.  I plan a future blog on my learning curve with his Plaso tool.

Back to the current task at hand though I need to create the bodyfile.  To do this I ran the following command within the SIFT workstation:

Before we move onto the next step I want to create a whitelist for the refining process to remove some files which can cause a lot of noise and may not be necessary depending on what incident you are dealing with.

To do so within the workstation I ran the following command which opened up a text document:

You can with experience, add or remove any items you feel benefit your current task.

It is at this point I want to process and refine the bodyfile and remove any duplicate entries or artefacts I have asked to be removed in my whitelist.  To do this I use a tool called l2t_process and the following is my command line and result:




As in a previous blog I am going to view this in Microsoft Excel but I am going to use the template available from SANS as this will add colour to different actions on the system eg USB insertions, Program activation etc.

To do this we open Excel on our host machine and on the data ribbon select “From Text” and I then selected the share available within \siftworkstation to my newly created timeline.csv.

For the options I leave it as delimited on the next screen I deselect tab and select comma and select finish. The next screen we click ok.

As I mentioned in my last blog I also like to freeze the top pane and turn on filtering and hide Time Zone, Host and Version.

What we are left with is a super timeline for that machine which we can now analyse.  In the last command line you also have the option to add a date range which I would suggest you do on a normal job.  I only chose not to for this blog as I was using an image that only had less than half an hour of system activity on it, yet after filtering still has 111158 lines in it!



Happy timelining!