Training, and Learning
I finished up leading a Timeline Analysis Course on Tuesday afternoon, ending two days of some pretty intensive training. One of the things I find when I'm putting presentations or courses together, and then actually giving the presentation, is that I very often end up learning a good deal along the way, and this time around was no different. As has happened in the past, what I learn leads me to revisit and possibly even modify tools or analysis techniques, and again, this time was no different.
One of my biggest takeaways from the training is that I need to reconsider how at least some of the available time stamped data is presented in a timeline. One of those items is how Prefetch file metadata is represented and displayed; I've since updated the parsing tool to address this particular item. Another, and the one I'm going to discuss in this blog post, is how Windows shortcut (LNK file) information might be displayed in a timeline, or more specifically, what information about LNK files might possibly need to be presented in a timeline.
Category IDs
So, as a bit of background, I've been thinking quite a lot lately about how to better take advantage of timeline data. As I was putting the timeline course together, it occurred to me that I was going to be spending a good deal of time describing to attendees how to create a timeline, and even walking them through this process with demonstrations and hands-on exercises, but spending very little time discussing how to actually analyze the timeline data. The simplest answer is, it depends. It depends on your exam goals, why you're performing the exam, and why you created a timeline in the first place. It occurred to me that I was making an assumption that most analysts would have a good solid justification for creating a timeline as part of their analysis process. If that were the case every time, I wouldn't have folks signing up for a timeline analysis course, would I? I'm not saying that analysts don't have a justification for creating a timeline, but sometimes that justification be, "...that's what we always do...", or "...that's what I did last time."
Timeline analysis is something of a data reduction technique...we go from a 500GB hard drive or image, to somewhere around a GB or so of data, and we then arrange it based on a time value in the hopes of obtaining some context and increasing our relative confidence in the data that we're looking at; that's the goal, anyway. But by grabbing just the data directly associated with a time value, we end up performing a great deal of data reduction. Even so, we still need a means for directing our analysis, or getting the cream to rise to the top of the container.
Something I'd discussed in a previous blog post was the concept of categories for events. Rob Lee has done some considerable work in this area already, providing a color-coded Excel macro that implements the category ID scheme he's identified via resources such as the SANS DFIR poster. Regardless of the method used to identify event types or categories, the idea is to develop some method to assist the examiner in her analysis of the timeline. After all, if you have something of an idea of what you're looking for, then finding it might be a bit easier if you classify various events by type or category, and then have some means to identify the events accordingly (via color, a tag or identifier, etc.).
Shortcut/LNK Files
Speaking of categories, perhaps one of the most difficult artifacts to classify into a single category is Windows shortcut/LNK files. Without getting into a long discussion about this, let's take a look at an example of what's available in an LNK file found in a user's Recent folder:
atime Tue May 15 21:11:59 2012
basepath C:\Users\
birth_obj_id_node 08:00:27:dd:64:d1
birth_obj_id_seq 9270
birth_obj_id_time Tue May 15 21:09:27 2012
birth_vol_id 2C645C57...13C2834AAD2
commonpathsuffix john\Downloads\Autoruns.zip
ctime Tue May 15 21:11:59 2012
filesize 535772
machineID john-pc
mtime Tue May 15 21:11:59 2012
netname \\JOHN-PC\Users
new_obj_id_node 08:00:27:dd:64:d1
new_obj_id_seq 9270
new_obj_id_time Tue May 15 21:09:27 2012
new_vol_id 2C645C57...13C2834AAD2
relativepath ..\..\..\..\..\Downloads\Autoruns.zip
vol_sn F405-DAC1
vol_type Fixed Disk
As you can see, we have a number of data elements available to us once we've decoded the binary contents of the LNK file, any of which (or any combination of which) may be relevant or significant to our analysis. For example, as the LNK file was found in the user's Recent folder, we can assume that the existence of the file indicates some form of user activity; that is, the user must have done something, must have performed a specific action (such as double-clicking the file) that caused that LNK file to be created.
Next, we have the path to where the target file was located within the file system, as well as the MA.B times of the target file at the time that the shortcut was created. That might be significant to your analysis, as it demonstrates both knowledge of and access to a file, and will persist even after the target file is no longer available.
Had the LNK file been located on the user's Desktop and pointed to an EXE target file, this might illustrate specific actions taken by the user, such as installing an application. This might also indicate program execution, rather than file access.
If the target file in the shortcut is a document or image, this might also illustrate program execution. Launching the shortcut would cause the Windows system to reach into the Registry in order to determine which application with which files with the target file's extension are associated. For example, let's say a shortcut "points to" a .avi video file. On some systems, launching a shortcut that points to a video file might cause Windows Media Player to be launched automatically; on other systems, it might be another application all together. Either way, the existence of an LNK file might also illustrate program execution or application launch.
Finally, we see that the last item visible in our example is called "vol_type", which refers to the type of volume where the target file was at the time of the activity. In this case, the C:\ volume is a "Fixed Disk"; if it wasn't, would that be significant? For example, if the volume type were "removable media" or a "network share", would that be significant to your exam? In some cases, it could very well be, and we might look to that information for indications of access to or use of removable storage devices, or of network shares.
Perhaps the idea here isn't to classify LNK files into a single category, but instead filter the various data items found within LNK files based on a set of rules, and produce timeline events based on the output of each of the rules, where appropriate. This might mean that for a single LNK file, we might end up with multiple events in our timeline.
Resources
ForensicsWiki LNK page
One of my biggest takeaways from the training is that I need to reconsider how at least some of the available time stamped data is presented in a timeline. One of those items is how Prefetch file metadata is represented and displayed; I've since updated the parsing tool to address this particular item. Another, and the one I'm going to discuss in this blog post, is how Windows shortcut (LNK file) information might be displayed in a timeline, or more specifically, what information about LNK files might possibly need to be presented in a timeline.
Category IDs
So, as a bit of background, I've been thinking quite a lot lately about how to better take advantage of timeline data. As I was putting the timeline course together, it occurred to me that I was going to be spending a good deal of time describing to attendees how to create a timeline, and even walking them through this process with demonstrations and hands-on exercises, but spending very little time discussing how to actually analyze the timeline data. The simplest answer is, it depends. It depends on your exam goals, why you're performing the exam, and why you created a timeline in the first place. It occurred to me that I was making an assumption that most analysts would have a good solid justification for creating a timeline as part of their analysis process. If that were the case every time, I wouldn't have folks signing up for a timeline analysis course, would I? I'm not saying that analysts don't have a justification for creating a timeline, but sometimes that justification be, "...that's what we always do...", or "...that's what I did last time."
Timeline analysis is something of a data reduction technique...we go from a 500GB hard drive or image, to somewhere around a GB or so of data, and we then arrange it based on a time value in the hopes of obtaining some context and increasing our relative confidence in the data that we're looking at; that's the goal, anyway. But by grabbing just the data directly associated with a time value, we end up performing a great deal of data reduction. Even so, we still need a means for directing our analysis, or getting the cream to rise to the top of the container.
Something I'd discussed in a previous blog post was the concept of categories for events. Rob Lee has done some considerable work in this area already, providing a color-coded Excel macro that implements the category ID scheme he's identified via resources such as the SANS DFIR poster. Regardless of the method used to identify event types or categories, the idea is to develop some method to assist the examiner in her analysis of the timeline. After all, if you have something of an idea of what you're looking for, then finding it might be a bit easier if you classify various events by type or category, and then have some means to identify the events accordingly (via color, a tag or identifier, etc.).
Shortcut/LNK Files
Speaking of categories, perhaps one of the most difficult artifacts to classify into a single category is Windows shortcut/LNK files. Without getting into a long discussion about this, let's take a look at an example of what's available in an LNK file found in a user's Recent folder:
atime Tue May 15 21:11:59 2012
basepath C:\Users\
birth_obj_id_node 08:00:27:dd:64:d1
birth_obj_id_seq 9270
birth_obj_id_time Tue May 15 21:09:27 2012
birth_vol_id 2C645C57...13C2834AAD2
commonpathsuffix john\Downloads\Autoruns.zip
ctime Tue May 15 21:11:59 2012
filesize 535772
machineID john-pc
mtime Tue May 15 21:11:59 2012
netname \\JOHN-PC\Users
new_obj_id_node 08:00:27:dd:64:d1
new_obj_id_seq 9270
new_obj_id_time Tue May 15 21:09:27 2012
new_vol_id 2C645C57...13C2834AAD2
relativepath ..\..\..\..\..\Downloads\Autoruns.zip
vol_sn F405-DAC1
vol_type Fixed Disk
As you can see, we have a number of data elements available to us once we've decoded the binary contents of the LNK file, any of which (or any combination of which) may be relevant or significant to our analysis. For example, as the LNK file was found in the user's Recent folder, we can assume that the existence of the file indicates some form of user activity; that is, the user must have done something, must have performed a specific action (such as double-clicking the file) that caused that LNK file to be created.
Next, we have the path to where the target file was located within the file system, as well as the MA.B times of the target file at the time that the shortcut was created. That might be significant to your analysis, as it demonstrates both knowledge of and access to a file, and will persist even after the target file is no longer available.
Had the LNK file been located on the user's Desktop and pointed to an EXE target file, this might illustrate specific actions taken by the user, such as installing an application. This might also indicate program execution, rather than file access.
If the target file in the shortcut is a document or image, this might also illustrate program execution. Launching the shortcut would cause the Windows system to reach into the Registry in order to determine which application with which files with the target file's extension are associated. For example, let's say a shortcut "points to" a .avi video file. On some systems, launching a shortcut that points to a video file might cause Windows Media Player to be launched automatically; on other systems, it might be another application all together. Either way, the existence of an LNK file might also illustrate program execution or application launch.
Finally, we see that the last item visible in our example is called "vol_type", which refers to the type of volume where the target file was at the time of the activity. In this case, the C:\ volume is a "Fixed Disk"; if it wasn't, would that be significant? For example, if the volume type were "removable media" or a "network share", would that be significant to your exam? In some cases, it could very well be, and we might look to that information for indications of access to or use of removable storage devices, or of network shares.
Perhaps the idea here isn't to classify LNK files into a single category, but instead filter the various data items found within LNK files based on a set of rules, and produce timeline events based on the output of each of the rules, where appropriate. This might mean that for a single LNK file, we might end up with multiple events in our timeline.
Resources
ForensicsWiki LNK page