SANS Digital Forensics and Incident Response Blog

Stop, Children, What's That Sound?

Making Use of a Super Timeline

I won't go over how to create a Super Timeline since Rob has already covered that as a high level in on the SANS Digital Forensics Blog. What I've been working on recently is how to best make use of the resulting timeline. I have also discovered some interesting artifacts that never occurred to me to consider as part of a timeline.

What I've learned is that creating a Super Timeline is only the beginning of timeline analysis. Because the Super Timeline method captures so many time stamps, it is likely that a Super Timeline will contain too many entries to manually review line by line especially if an examiner creates a timeline for an entire drive image. The challenge is to be able to pin down what portions of that timeline are relevant to the examination at hand.

What I recommend is to use more tactical forensic tools to pull out specific dates and times that can then be viewed in greater detail by using the Super Timeline. A classic forensic examination is one where an examiner is asked to determine whether someone copied information like intellectual property from a computer using methods such as email or a USB device. The Super Timeline is an invaluable tool for this sort of examination, but you have to know where to look on the timeline to get the data of interest. Tools that can help an examiner do this are Digital Detective's Net Analysis and HSTEX, Harlan's Reg Ripper and keyword searching via spreadsheet programs such as Excel.

I like the Net Analysis and HSTEX combo and I've been using both tools for many years. Craig Wilson, author of these tools, was recently awarded a well deserved Forensic 4cast Lifetime Achievement Award. An examiner can take the latest version of HSTEX and use it to extract web browser history from an image. If it's a Windows operating system being examined, the Internet Explorer history will be of great interest because the examiner can load the HSTEX results into Net Analysis and then filter on terms like "file" to show just file access entries or terms like "attach" to find evidence where files might be uploaded or downloaded from something such as web based email. The examiner can then take the date and time information for specific events of interest and refer to the Super Timeline to get a clearer picture of the events that surrounded that point in time.

Harlan has been doing some great work in the area of registry forensic research and tool development. Harlan's Reg Ripper tool is one that every examiner should have in their tool box and it's Harlan's regtime.pl tool that provides registry date and time data in the creation of a Super Timeline. For example, using the Reg Ripper tool to determine what types of USB devices have been connected to a system allows the examiner to then search for device specific keywords on the Super Timeline.

Super Timelines are designed to be loaded up into a spreadsheet such as Microsoft Excel. These spreadsheets can also be used to help an examiner zero in on specific events through keyword searching. Keywords such as the word "USB" can be used to help determine when a USB specific event occurred in the timeline.

One of the added bonuses that I've discovered from using Super Timelines is that it's shown me new artifacts to be aware of during an examination. For example, while examining a recent Super Timeline I saw the last accessed times being updated on .wav files for the sounds that are made when a USB device is inserted or removed. It occurs to me that this is a valuable thing to keep in mind when trying to determine what a user did on a particular computer. When a user interacts with an operating system GUI like Windows, certain actions can result in sound files playing and that can result in the last accessed time stamps of those files being updated.

Eric Huber leads the digital investigations team for a large multinational company. You can follow him on Twitter at @ericjhuber. His digital forensic blog is "A Fistful of Dongles" which has its own Twitter account of @AFoDBlog. This post also appears at that blog along with some additional content. This post is part of the author's shameless attempt at earning a SANS Lethal Forensicator RMO which the author disturbingly refers to as his "precious".