Blog: SANS Digital Forensics and Incident Response Blog

Blog: SANS Digital Forensics and Incident Response Blog

Artifact Timeline Creation and Analysis - part 2


>In the last post I talked about the tool log2timeline, and mentioned a hypothetical case that we are working on. Let's explore in further detail how we can use the tool to assist us in our analysis.


>How do we go about collecting all the data that we need for the case? In this case we know that the we were called to investigate the case only hours after the alleged policy violation, so timeline can be a very valuable source. Therefore we decide to construct a timeline, using artifacts found in the system to start our investigation, so that we can examine the evidence with respect to time. By doing that we both get a better picture of the events that occured as well as to possibly lead us to other artifacts that we need to examine closer using other tools and techniques.


>To begin with you start by imaging the drive. You take an image of the C drive (first partition) and start working on the image on your analysis workstation. The first step is to create a traditional filesystem timeline you can refer to the already posted blog:


>http://sansforensics.wordpress.com/2009/02/24/digital-forensic-sifting-registry-and-filesystem-timeline-creation/


>Or for a quick reference, you can execute the following commands to get the filesystem timeline (assuming that the image name is suspect_drive.dd):


re>fls -m C: -r suspect_drive.dd > /tmp/bodyfile
After creating the traditional filesystem timeline we need to incorporate artifacts into it. To do that we need to mount the suspect drive, for instance by issuing this command:


re>mkdir /mnt/analyze
mount.ntfs-3g -o ro,nodev,noexec,show_sys_files,loop /analyze/suspect_drive.dd /mnt/analyze
Now the suspect drive is mounted as a read-only so we can inspect some of the artifacts found on the system.


re>cd /mnt/analyze/WINDOWS/Prefetch
log2timeline -f prefetch . >> /tmp/bodyfile
We start by navigating to the Prefetch directory, which stores information about recently started programs (created to speed up boot time of those processes) and run the tool against the Prefetch directory. The output is then stored in the same bodyfile as the traditional file system timeline. Then we navigate to the user that we are taking a closer look at to examine the UserAssist (stores information about recently run processes by that user) part of the user's registry.


re>cd /mnt/analyze/Documents and Settings/joe
log2timeline -f userassist NTUSER.DAT >> /tmp/bodyfile
Now we have incorporated information found inside a particular user in the bodyfile. Next we examine the recycle bin


re>cd /mnt/analyze/RECYCLER
log2timeline -f recycler INFO2 >> /tmp/bodyfile
We also want to examine restore information, that is information found inside the restore points (creation time of restore points):


re>cd /mnt/analyze/System Volume Information/_restore{A4195436-6BCB-468A-8B2F-BEE5EB150433}/
log2timeline -f restore . >> /tmp/bodyfile
Since we are suspecting that the user Joe opened few documents we also want to examine the recent document folder of the user, so we incorporate information found inside Windows shortcut files into our case:


re>cd /mnt/analyze/Documents and Settings/joe/Recent
ls -b *.lnk | while read d; do log2timeline -f win_link "$d"; done
We also find out by examining "Program Files" folder (or by examining registry) that the Firefox browser is installed on the workstation (which is not allowed according to corporate policies). So we add Firefox history into our timeline as well.


re>cd /mnt/analyze/Documents and Settings/joe/Application Data/Mozilla/Firefox/Profiles/dgml8g3t.default/
log2timeline -f firefox3 places.sqlite >> /tmp/bodyfile
Now we are ready to examine the timeline a little bit closer. To modify the bodyfile into a useful timeline we use the tool mactime from TSK (The SleuthKit):


re>mactime -b /tmp/bodyfile 2009-08-01..2009-08-05 > /tmp/timeline
And now we can start examining the timeline itself. If we look at August 04 (which is the date that the HR department gave up as a possible date) we see from the information gathered in UserAssist that the user Joe ran the browser Internet Explorer at 15:13:42, which is confirmed by update of the access time of IEXPLORE.EXE file one second later.


>


class="caption">User running Internet Explorer


joe running Internet Explorer


>At 15:13:53 a Prefetch file is created for Internet Explorer and as indicated inside the Prefetch file Internet Explorer was last run at 15:13:43 (and has been run 11 times on this machine). This can be seen on the timeline below:


>


class="caption">Internet Explorer being run


Internet Explorer being run


>The tool log2timeline does not support index.dat files (at the time of this writing, although it will very soon), so for timeline analysis we have to rely on traditional file system analysis. We can see that the cookie joe@mozilla[1].txt was created at 15:14:48, suggesting that the user Joe visited the size Mozilla.org.


>


class="caption">joe visiting Mozilla site


joe visiting Mozilla site


>We then see that the user joe created the file "joe@download.mozilla[1].txt" at 15:14:49, indicating that the user may have downloaded Mozilla browser (or Firefox).


>


class="caption">joe downloading Firefox


joe downloading Firefox


>This can then be confirmed by looking in the timeline from 15:16:10 where we see that Firefox is being set up on the machine. We can then say that the user Joe has most likely installed Firefox on the machine.


>


class="caption">Firefox being installed


Firefox being installed


>Out suspicion that the user Joe had installed Firefox is then further strengthen when we see that a Firefox user profile is created at 15:16:11 inside Joe's user directory.


>


class="caption">Firefox profile created for user Joe


Firefox profile created for user Joe


>And if we take a look at the Prefetch folder we see that Firefox was indeed set up on this machine, since we see that "FIREFOX SETUP 3.5.2[2].EXE" was run. Firefox setup was run at 15:16:08 according to information found inside the Prefetch file.


>


class="caption">Firefox setup being run


Firefox setup being run


>We can then see that the Firefox browser was being run at 15:16:56 (last time it was run) and that it has been run three times. This can be seen from the Prefetch part of the timeline.


>


class="caption">Firefox being run


Firefox being run


>Next in the timeline we can see Firefox 3 history, glanced from the places.sqlite file. We see that when the user Joe opened up Firefox the default start page was run (the default page is Google, and since the language of the suspect machine is Icelandic, we are using the Icelandic version of Google, google.is)


>


class="caption">Firefox start page


Firefox start page


>We then see that the user Joe ran a Google search at 15:17:43. The search terms were: "how to delete files", hmm this might be interesting.. We then see that the user navigated to the site: "www.cybertechhelp.com/tutorial/article/how-to-delete-files-and-folders". This site has the title "How to delete files and folders" and the user navigated to this site from the site www.google.is. This can all be seen in the timeline as shown below:


>


class="caption">Google search in Firefox


Google search in Firefox


>We then see that the user Joe continues to read up on "how-to delete files" sites:


>


class="caption">Reading web site in Firefox


Reading web site in Firefox


>And some more sites (how to delete files for good):


>


class="caption">Reading up on how to delete files


Reading up on how to delete files


>At 15:18:27 the user Joe starts reading up on wiping software.


>


class="caption">Reading about wiping software


Reading about wiping software


>And some more from the same site:


>


class="caption">Reading about wiping software


Reading about wiping software


>The user then goes to a page that seems to be related to downloading of the tool (the URL includes /download and the title of the page indicates a download site)


>


class="caption">Downloading wiping tool


Downloading wiping tool


>We then see that the user Joe has started some other activity on the machine. At 15:19:20 we see that the Windows shortcut (LNK) file "C:/Documents and Settings/joe/Recent/Very secret document.lnk". This is one of the documents that we were supposed to look for, one of the documents that the user Joe was not supposed to examine. The creation of this link indicates that the document had been opened by the user, so we examine the timeline furhter. We see from the information found inside the link file that the file points to: "C:/Documents and Settings/Administrator/My Documents/Very secret document.txt", which again strengthens our case, since this seems to be really the document in question. For further confirmation we see that the access time for this particular document was also updated at the same time as the other files were created.


>We can then see from the UserAssist part of the timeline that the user Joe opened up NOTEPAD.EXE at 15:19:23 (the last time it was opened), and that the user had used this program twice. At the same time, that is at 15:19:23 we also see that the document: "C:/Documents and Settings/joe/Recent/Not to be seen document.lnk" was created. This is the other document that the HR department suspected Joe to open. The information gathered from the LNK file indicates that this file points to the document "C:/Documents and Settings/Administrator/My Documents/Not to be seen document.txt", suggesting that the user Joe opened this document as well (most likely using Notepad). Then finally we see that the Prefetch file for NOTEPAD.EXE was created at 15:19:25, indicating that notepad had been run five times on the machine, last time at 15:19:23 (the same time that the documents were opened).


>We see in the Prefetch file that Notepad had been opened five times, yet the UserAssist part of Joe's registry indicates that he only opened it twice. This indicates that other users must have used Notepad as well (the other three times).


>At 15:19:26 we see that a new file has been created inside the recycle bin, file called Dc1.txt. To gain further information about this file we examine the recycle bin information inside the timeline. We then see that the file (according to INFO2) "C:/Documents and Settings/Administrator/My Documents/Not to be seen document.txt" had been deleted at 15:19:29 (three seconds after the file Dc1.txt was created). Since the file Dc1.txt is created inside the folder "C:/RECYCLER/S-1-5-21-...-1004" we can be fairly certain that the user with the RID 1004 (RID is the last part of the SID, a unique ID for each user in Windows) deleted this file. If we then examine the content of the SAM file (C:/WINDOWS/system32/config/SAM) with tools such as RegRipper we see that the user joe has the user id of 1004, suggesting that the user Joe deleted the file "Not to be seen document.txt". The picture below shows the timeline from this part:


>


class="caption">Showing opened and deleted files


Showing opened and deleted files


>After this activity with the secret documents we see that the user Joe continued to use Firefox, now clear indications that the user is in fact downloading a wiping software (instead of just visiting sites containing download section). The user visits the site: "http://.....wipe3.exe" and the visit type is DOWNLOAD, indicating that this is in fact a download that is taking place.


>We can then further confirm this suspicion by examining the timeline straight after the download took place. We then see that the file ..wipe3.exe was created inside the folder: "C:/Documents and Settings/joe/My Documents/Niurhal/bcwipe3.exe" (Niurhal is the Icelandic word for Download). This further suggests that it was in fact the user joe that downloaded the wiping software.


>


class="caption">Downloading wiping software


Downloading wiping software


>We can then see indications that the wiping software was indeed installed on the machine from the filesystem timeline.


>


class="caption">Installing wiping software


Installing wiping software


>We can then see from the Prefetch file that the software BCWIPE3.EXE was run on the machine, further suggesting that the file that the user Joe seems to have downloaded was in deed run on the machine. We can then see some temporary files created by the installation program that reside inside joe's user directory, further indicating that the user Joe really installed the software in question (there were other temporary files created inside joe's folder as well that belonged to the software bcwipe3.exe)


>


class="caption">Prefetch confirmation of installing wiping software


Prefetch confirmation of installing wiping software


>The final line in the timeline indicating that the user Joe installed the wiping software can be found inside the UserAssist part of the registry. We can se that the user Joe did run the lnk file: "BCWipe 3.0/BCWipe Task Manager.lnk", indicating that he ran a part of the software after installation (a task manager that comes with the software).


>


class="caption">User Joe installing Wiping software


User Joe installing Wiping software


>To sum up this little example we found out, by examining the timeline (using artifacts inside the timeline), all events take place on the 4th of August this year:
  • 15:13:43: Internet Explorer is started
  • 15:14:48: Internet Explorer is used by the user joe to visit the site "mozilla.org"
  • 15:14:49: Internet Explorer is used by the user joe to visit the site "download.mozilla.org"
  • 15:16:08: The browser Firefox is installed on the machine
  • 15:16:11: A Firefox user profile is created for the user joe
  • 15:16:56: Firefox browser is started
  • 15:17:00: User joe visits the start page of Firefox (using Firefox)
  • 15:17:43: User joe searches for "how to delete files", using Google search engine
  • User joe then reads few web pages which clearly indicate direction on how to delete files and folders
  • 15:16:11: User joe starts reading about tools that wipe files
  • 15:19:20: A shortcut file is created inside recent document history of user Joe, indicating that the file "Very secret document.txt" had been opened by the user
  • 15:19:23. The last time that the user Joe opened NOTEPAD.EXE
  • 15:19:23: A shortcut is created inside recent document history of user Joe, indicating that the file "Not to be seen document.txt" had been opened by the user joe
  • 15:19:26: The file Dc1.txt was created inside the recycle bin (inside a folder that belongs to the user joe). This file used to be named "Not to be seen document.txt" before it was moved to the recycle bin
  • 15:19:37: A wiping software is downloaded from the Internet, using Firefox (and by the user Joe)
  • 15:21:16: The wiping software is installed, leaving temporary files inside Joe's user directory, indicating that the user Joe is in fact the user that is installing the software
  • 15:21:44: The user Joe runs a software that belongs to the wiping software (UserAssist)
Although this case is very simple, and we managed to image the computer few minutes after the alleged breach of policy we can clearly see that correlating different information found inside log files and other OS artifacts can prove to very helpful in our investigations and at least point us to data that we need to examine using other techniques.

5 Comments

Posted August 14, 2009 at 7:08 PM | Permalink | Reply

Adam

This looks like it will help out a lot, thanks!

Posted August 19, 2009 at 10:05 AM | Permalink | Reply

reverse

mactime is only exporting the filesystem timeline from the bodyfile but not the prefetch, userassist modules, etc...

there are artifacts listed in the bodyfile but not my exported timeline

Posted August 19, 2009 at 10:15 AM | Permalink | Reply

kristinn

how did you go about and create the bodyfile? are you sure that the artifacts are stored inside the bodyfile? you could send me an e-mail with a better description and I will surely be of better assistance (kristinn ( a t ) log2timeline ( d o t ) n e t

Posted August 06, 2011 at 4:05 PM | Permalink | Reply

bwana

where did the pictures go?

Posted August 07, 2011 at 5:07 AM | Permalink | Reply

Dave Hull

Looks like the images were originally hosted offsite and are no longer. If Kristinn still has access to them, I'll see if I can get them and put them up again.

Post a Comment






* Indicates a required field.