SANS Digital Forensics and Incident Response Blog

PTK Timeline Analysis

By Michele Zambelli

The timeline analysis allows investigators to identify the so called footprint, e.g the traces that an attacker inevitably leaves behind on the hacked system. Obviously, the action column, on timeline table, has one or several of the following values.

  • a: the last file access
  • c: the file was changed (metadata changes)
  • m: the file was modified
  • b: the file was created

Even from the beginning, the PTK project has given special attention to the timeline analysis. This kind of analysis was given an entire section and an indexing feature. The indexing process analyzes and saves all the information regarding the creation time and date, modification and access for all files present on the file system. The first timeline analysis is in the form of tables; PTK is thus able to visualize all the events in an increasing or decreasing temporal succession. This analysis ensures the setup of different filters in order to focus investigations on precise time intervals.

PTK Table Timeline

As can be seen using PTK, the timeline generated is not just a static list of allocated or cancelled files with the respective timestamp but each entry points to a real portion of the file system directly linked to a file; during Timeline Anlysis it is thus possible to open each file listed, check its content, get the hash value and create its bookmarks. Results are divided into pages of dimensions defined by the user and timeline visualization aims either at the entire disk or at a single partition of it. Obviously the date time field can be ordered increasingly or decreasingly such as file name fileds, size, etc.

PTK Timeline Filter

PTK Timeline Filter

PTK introduces a new approach to Timeline Analysis, e.g. the Graphical Timeline Analysis. This approach is based on gathering into three categories all timestamps regarding access modification and creation present on the investigation file system. Results allow a static visualization of an entire disk and therefore an immediate vision of what has been the trend of the file disk use. This approach enables quick identification of the times in which access peaks, creation and file changes were registered. For example, an access peak could indicate an antivirus scan on all disk files; the absence of values for a certain period could indicate that the system wasn't used. It is thus possible to zoom determined timeframes and divide them into year/month/day visualization.

PTK Timeline Filter

New features such as access trends visualization, modification and creation aiming at identifying the file categories (document office, pdf, images, etc.) selected by users are being developed. These new features will be included in the new PTK versions.

Michele Zambelli, GCFA SIlver #1856, is a member of PTK Team and a Security Consultant at DFLabs Italy.