Timeline Analysis, pt VI - Taking Another Step

In my last post on timeline analysis, I illustrated how you could use some freely available tools to get started in developing a detailed timeline of activity from a system. Using TSK tools, we can extract file system timeline information from an acquired image, creating what Brian refers to as a bodyfile. This gives us the beginning of a more complete timeline...in order to take our timeline to the next level, we need to look at other sources of timestamped data...for right now, from the system being examined; for this example, we'll look to the Event Log as a source of timeline information.

As a reminder, we're using the 5 field timeline format that I described earlier. I'm referring to this as a "TLN" format, or timeline format, and includes the time (normalized to Unix epoch time), the source of the event (ie, where we got it, such as from an EVT file, INFO2 file, or some other log or source), the host or system on which the event occurred, the user associated with the event (if available), and a description of the event.

So, we have the file system bodyfile (courtesy of the TSK tools), but we need to translate that into the 5 field format; this is really simple to do using a script I call bodyfile.pl. Now, we have to stop for a second, because two of the fields we'd normally include...the server or host name, and the username...are not available in a TSK bodyfile. I opted to use RegRipper on the hive files extracted from the image to get the server name, and bodyfile.pl has a switch that lets me enter the server or host name so that the script can populate that field. This can be very important if you're correlating events across multiple systems.

Note: If you're dealing with live systems, you may opt to use another means, such as Perl or Python, to collect a file system bodyfile that is similar to the output of fls.exe.

Then I used a Perl script for parsing EVT files to parse through the Application, System, and Security Event Logs extracted from the image and add those events to the overall events file that we started with bodyfile.pl. This can add some very interesting correlating information to your timeline file, and the EVT parsing script can be (has been) adapted to parse event records out of a memory dump (which is all kinds of way cool!).

Now, if you've looked at the image that we're using (ie, the NIST hacking case image), you'll know that there's at least one Recycle Bin on the system with "deleted files" in it, as well as a nice INFO2 file. So I extracted the INFO2 file from the image, and used recbin.pl to parse the contents into our TLN format, adding those events to the timeline data.

Okay, at this point, we have a total of three sources for our timeline data: the file system itself, via fls.exe; the Event Logs; a Recycle Bin INFO2 file. Now what we have is a file full of events, and we need some way to make it useful. I wrote a simple script called parse.pl to read in all of the events, then sort them by the most recent time first, and print all of the events associated with each timestamp. Below is an excerpt from the resulting timeline file, illustrating what appears to be a shutdown of the system (some color-coding done for clarity):

Fri Aug 27 15:46:28 2004 Z
FILE N-1A9ODN6ZXK4LQ - MA.E c:/WINDOWS/Tasks/SA.DAT
EVT N-1A9ODN6ZXK4LQ N/A - EventLog/6006;Info;

Fri Aug 27 15:46:27 2004 Z
FILE N-1A9ODN6ZXK4LQ - MA.E c:/WINDOWS/Prefetch/LOGONUI.EXE-0AF22957.pf

Fri Aug 27 15:46:23 2004 Z
FILE N-1A9ODN6ZXK4LQ - MA.. c:/Documents and Settings/Mr. Evil/Local
Settings/Application Data/Microsoft/Windows/UsrClass.dat

FILE N-1A9ODN6ZXK4LQ - MA.. c:/Documents and Settings/Mr. Evil/NTUSER.DAT
FILE N-1A9ODN6ZXK4LQ - MA.E c:/Documents and Settings/Mr. Evil/ntuser.dat.LOG
FILE N-1A9ODN6ZXK4LQ - MA.E c:/Documents and Settings/Mr. Evil/ntuser.ini

Fri Aug 27 15:46:19 2004 Z
FILE N-1A9ODN6ZXK4LQ - .A.. c:/WINDOWS/Media/Windows XP Shutdown.wav
EVT N-1A9ODN6ZXK4LQ N/A - BROWSER/8033;Info;\Device
\NetBT_Tcpip_{86FC0C96-3FF2-4D59-9ABA-C602F213B5D2}


Pretty cool stuff, eh? Well, here's something else that's very cool...from the output of RegRipper, I collected the last shutdown time from the System hive:

ControlSet001\Control\Windows key, ShutdownTime value
ControlSet001\Control\Windows
LastWrite Time Fri Aug 27 15:46:33 2004 (UTC)
ShutdownTime = Fri Aug 27 15:46:33 2004 (UTC)

As you can see, we did indeed observe a shutdown in the timeline data illustrated above!

Now, this timeline information may not necessarily allow you to answer all of the questions in the challenge, but it can be very useful information, particularly when investigating an intrusion.

Don't forget...others have seen the importance of timeline development, as well. Next steps for this process are to include timeline data extraction in RegRipper, so that this data can be added to the timeline, as well. So stay tuned!

Addendum: I uploaded the complete output of parse.pl to the Files section of the Win4n6 group, under the Timeline Data folder. That way, you can look at ALL of the data...let me know if you have any questions.