SANS Digital Forensics and Incident Response Blog

Building a complete timeline for intrusion cases

Anyone who has worked intrusion cases can tell you that they are a wholly different animal than classic pornography or computer abuse/misuse cases, yet our tools have grown out of a distinct need for the latter. Particularly fractured are the tools that enable the analyst to build timelines. Sure, we can sort event logs, or use mactime to get a readable dump of our filesystem metadata, but assembling a complete picture remains a struggle. Some products offer a bit more along these lines, such as Encase, but the barrier for entry in assembling disparate logs into a comprehensive timeline is high both in terms of financial funding and product-specific knowledge, vis Enscripts.

To address this need, I built Ex-Tip. Roughly named after "Extensible Timelines in Perl," Ex-Tip is really nothing more than a framework of input and output modules to normalize log data and sort by time. While it is currently only a proof-of-concept (version 0.1), my hope is that through continuous improvement it can be made into a robust tool for the assembly of comprehensive timelines in a variety of formats. Current modules available take input from TSK tools we're all so familiar with, as well as McAfee anti-virus logs, and registry hive files, printing them out in a mactime-like format. Note that the framework accommodates output modules as well, so data can be massaged into open file formats for timelining tools.

Moving beyond the host, my hope is to expand the tool to include modules for network-based logs. The extension of automated compilation is, in my opinion, moving this direction - and tools to support our analytical evolution are lacking at present. Just imagine being able to generate a timeline that includes everything from filesystem activity on simultaneously-compromised hosts right next to the IDS alerts and firewall logs that articulate the communications between them! There are a few complications beyond creation of associated input modules, so this will be a new version I hope to put together soon. Some upcoming changes in TSK/mactime formats will hopefully help to the end of host awareness in timeline data as well, and I hope to align with them in the new version.

You can read a nauseating amount of detail about Ex-Tip in my GCFA Gold paper, and the latest version is being maintained on Sourceforge. Of course, I am always looking for help. I consider myself more of an analyst and scientist than a developer, and recognize others can contribute far more along those lines than I.

Michael is a senior member of an incident response team for a large defense contractor. He has lectured for various audiences from IEEE to DC3, and teaches an introductory class on cryptography. His current work consists of security intelligence analysis and development of new tools and techniques for incident response. Michael holds a BS in computer engineering and has earned GCIA (#592) and GCFA (#711) gold certifications alongside various others.

1 Comments

Posted December 31, 2008 at 8:46 AM | Permalink | Reply

keydet89

Excellent post, Michael! Tools like TSK and ex-tip definitely begin to address the need for this sort of data analysis, but it's just a beginning.
You mention that the barriers to this sort of thing include financial funding and product-specific technology. I also think that things like this suffer from the fact that they ARE, in fact, free and in the case of ex-tip, open source.