Thoughts on Timeline Analysis

I was chatting with Chris Pogue (a fellow Syngress book author attending the SANS Forensic Summit) a bit over the past couple of days on the subject of Timeline Analysis, and had some thoughts that I wanted to throw out there and see what others thought about them...

Personally, I've been doing some pretty cool things with timeline analysis, incorporating not only file system metadata, but Event Log entries, data from the Registry, as well as the user's web browser history, etc. What this does is allow me to view events from several sources all in one place, giving me some context, but not all of the possible context. And this can be a LOT of data! I go through the process of creating a bodyfile, then a 5-field TLN format events file, and then a full timeline in ASCII, saving it in a text file. I've updated some of my code recently to allow me to re-run the events-file-to-timeline conversion tool and focus solely on a specific date range, down to a single day.

This is where we usually start talking about visualization...what's a good way to present this information in a graphic format so that the analyst can determine the answer to the question they're trying to answer? Perhaps better yet...IS there a good way?

When it comes down to presenting the data to the customer, I've never been a supporter of giving the customer all of the raw data (there are folks out there who think a 3300+ page report is a good thing!), and giving the customer a timeline graphic of ALL of the data really doesn't do a whole lot, either for them to understand what's going on, or for your professional credibility. That's where the knowledge and ability of the analyst come in, and you create a timeline that summarizes the important and relevant events for the customer.

So, how do you do this? Do you sift through the data, extracting all of the irrelevant stuff (ie, removing thousands of file last accessed events and replacing them with a single AV scan event, etc.) and dump it into some kind of program that will generate the timeline automatically, or is it something more of a manual process? (See the Resources section at the end of this post for some examples of how to create a graphic representation of a timeline that can be added to reports.)

At this point, I'm of the opinion that this is still largely a manual process. While timeline creation and analysis has been automated to some degree through the use of tools, the fact is that there's currently no automated "sausage grinder" that you can drop an acquired image into and have it chug away and give you a full timeline. Just the file system metadata alone from one system can be cumbersome and overwhelming, particularly if you don't know what you're looking for. Lets say that you automatically add the Event Log entries to the timeline...but what if the Security Registry hive shows that the type of auditing you're looking for (successful login attempts) wasn't enabled, and a scan of the Event Logs shows that the events do not cover the dates in question anyway? If this is an automatic process, you've now got a lot of extra, albeit irrelevant, data.

What about context? Not all context of the events is visible in a timeline...in some cases, a recent modification date on a file isn't as important as what was added (or removed) from the file. Or you may have two events...a USB removable storage device plugged into the system and shortly thereafter, a Windows shortcut/LNK file created...and the valuable context of the correlation between the two events is in the path information and volume ID embedded in the LNK file.

In a way, this discussion brings us back around to the basic idea of the skill and knowledge of the examiner/analyst. Lets say an analyst responds to an incident, and goes on-site to find four desktop systems that had been powered down and taken off of the network. One analyst might look at this, remove the drives, and image them with the pair of Vooms he has in his jump kit. Another might hook each drive up to a write-blocker and acquire logical images of each partition. Yet another responder might boot each system, log in as Administrator, acquire volatile data, and then perform live acquisitions. Given this kind of disparity across a single response, how does an analyst then "correctly" decide which information needs to be included in a timeline for analysis, and then determine the context of the data?

IMHO, this all comes down to training and experience. Training specifically in this topic needs to be available, followed by guidance and mentoring. Cheatsheets need to be available to remind folks about what's available, why and how the data is important, and then within organizations and labs, there needs to be some kind of peer review.

Thoughts?

Resources
How to create a timeline in Excel (free templates)
Free SmartDraw Timeline Software