HowTo: Creating Mini-Timelines
There are times when you don't want (or need) a super timeline, but instead just want to focus on one piece of available data, such as Event Log entries or Registry key LastWrite times. I've had occasion to focus on just specific entries in the Security Event Logs; specifically, event ID 528, type 10, indicating RDP logins to a system. I used one of the timeline tools I wrote, evtparse.pl, to parse the appropriate records from the Security Event Log and then create a timeline from just those records.
So, let's say that you have something specific that you want to look for, such as all Registry keys that were created or modified between two specific dates. You'd want to start by either extracting the appropriate hives from the acquired image via FTK Imager, or using FTK Imager to mount the acquired image as a volume on your analysis system.
For the next steps, go here and download the tln_tools.zip archive...do NOT download regtime.zip for this exercise. From the tln_tools.zip archive, we will be working specifically with the regtime.pl and parse.pl tools (note that regtime also ships with a standalone EXE...you must have the p2x588.dll file in the same directory along with the EXE).
The first thing you'll need to do is create your events file of the Registry key LastWrite times. One thing you'll need is the name of the system you're analyzing. This can be something that's already in your case documentation; however, if you don't have that information, you can either enter a designator, or leave it blank...for what we're doing, it isn't critical. If you have RegRipper installed, this is very easy to get, using the following command:
We can then use the returned information in your mini-timeline instead of the "SERVER" value in the below commands.
Next, we'll parse the Software and System hives (assume that the image is mounted as H:\):
Now that we have the events file, we can use parse.pl to generate our timeline. If you type just "parse.pl" at the command prompt (or "parse.pl -h"), you'll see that the script has a couple of options, one of which is to specify a date range. Let's say that you want all events from your events file, between 3 March and 4 April 2011, inclusive. You would use the following command:
This command provides an ASCII output format that I've always found very easy to view and understand. If you would like .csv output, which Excel is much happier with, type the following command (note the "-c" switch):
There you go...that's it. You can also add other hives to your events file, even NTUSER.DAT hives (adding the username after the "-u" switch can help you tell different user's apart).
This blog post has been brought to you by the open source tool, "regtime.pl", and the redirection operator ">".
So, let's say that you have something specific that you want to look for, such as all Registry keys that were created or modified between two specific dates. You'd want to start by either extracting the appropriate hives from the acquired image via FTK Imager, or using FTK Imager to mount the acquired image as a volume on your analysis system.
For the next steps, go here and download the tln_tools.zip archive...do NOT download regtime.zip for this exercise. From the tln_tools.zip archive, we will be working specifically with the regtime.pl and parse.pl tools (note that regtime also ships with a standalone EXE...you must have the p2x588.dll file in the same directory along with the EXE).
The first thing you'll need to do is create your events file of the Registry key LastWrite times. One thing you'll need is the name of the system you're analyzing. This can be something that's already in your case documentation; however, if you don't have that information, you can either enter a designator, or leave it blank...for what we're doing, it isn't critical. If you have RegRipper installed, this is very easy to get, using the following command:
C:\rr>rip -r H:\Windows\system32\config\system -p compname
We can then use the returned information in your mini-timeline instead of the "SERVER" value in the below commands.
Next, we'll parse the Software and System hives (assume that the image is mounted as H:\):
C:\tools>regtime -r H:\Windows\system32\config\system -m HKLM/System -s SERVER > D:\case\key_events.txt
C:\tools>regtime -r H:\Windows\system32\config\software -m HKLM/Software -s SERVER >> D:\case\key_events.txt
Now that we have the events file, we can use parse.pl to generate our timeline. If you type just "parse.pl" at the command prompt (or "parse.pl -h"), you'll see that the script has a couple of options, one of which is to specify a date range. Let's say that you want all events from your events file, between 3 March and 4 April 2011, inclusive. You would use the following command:
C:\tools>parse.pl -f D:\case\key_events.txt -r 03/03/2011-04/04/2011 > D:\case\key_tln.txt
This command provides an ASCII output format that I've always found very easy to view and understand. If you would like .csv output, which Excel is much happier with, type the following command (note the "-c" switch):
C:\tools>parse.pl -f D:\case\key_events.txt -r 03/03/2011-04/04/2011 -c > D:\case\key_tln.csv
There you go...that's it. You can also add other hives to your events file, even NTUSER.DAT hives (adding the username after the "-u" switch can help you tell different user's apart).
This blog post has been brought to you by the open source tool, "regtime.pl", and the redirection operator ">".