My tummy full of scrumptious turkey and my body slowly breaking down tryptophan (not to mention mildly sore feet from running the longest consecutive running road race in America) -- I decided I really should update the blog.
So I have been talking a lot about timeline creation. Using memory dumps can unearth a ton of information. I would be remiss however if I did not mention timeline analysis using the good ol hard drive.
Rob Lee has made famous SuperTimeline using log2timeline (from Kristinn Guðjónsso), regripper (Harlan Carvey), and a few other tools (including Brian Carrier). In my old job I created a perl script which would automate as much of possible the steps required to produce a timeline from a hard drive. I found out last week that all this work has been done for me-- earlier this year.
Kristinn created the log2timeline-sift application which automates the mounting, extraction, and program execution. You can see the PDF here. It bases the timezone by the timezone used on the hard drive (based on registry settings). So now all you have to do is literally one command and voila-- and it attempts to grab all the NTUSER.DAT files for each user. Its... almost cheating :P
This comes standard with the new SiFT workstation, or you can easily install in linux with:
So I have been talking a lot about timeline creation. Using memory dumps can unearth a ton of information. I would be remiss however if I did not mention timeline analysis using the good ol hard drive.
Rob Lee has made famous SuperTimeline using log2timeline (from Kristinn Guðjónsso), regripper (Harlan Carvey), and a few other tools (including Brian Carrier). In my old job I created a perl script which would automate as much of possible the steps required to produce a timeline from a hard drive. I found out last week that all this work has been done for me-- earlier this year.
Kristinn created the log2timeline-sift application which automates the mounting, extraction, and program execution. You can see the PDF here. It bases the timezone by the timezone used on the hard drive (based on registry settings). So now all you have to do is literally one command and voila-- and it attempts to grab all the NTUSER.DAT files for each user. Its... almost cheating :P
This comes standard with the new SiFT workstation, or you can easily install in linux with:
$sudo apt-get install log2timeline-sift-perlThe arguments passed on the command line depend on if you have a whole disk image or just a partition image, and if you want to tweak some settings. Read the man page to get the low down but the command is generally run as such:
$log2timeline-sift -z (TIMEZONE) (DD FILE)So what does this grab you? A whole treasure trove of information, here are some artifacts which can be seen using supertimeline:
- Modified Accessed Created Birth times of all files on the system
- More information about MACB times by filesystem are here
- Registry Keys
- Internet History for users
- Prefetch Files
- System Logs
- Skype logs
- UserAssist
- (some) AV logs
- Recycle Bin information
So, this is great if you have a timeframe in question or a known bad file, you can simply scroll to the questionable row in Excel (after a quick CTRL-F) and see A) what happened immediately before and B) what happened immediately after.
You can also search against the file (read: grep or FINDSTR) to find the existence of a file/event. This is much quicker than trying to open large files in Excel or whatever spreadsheet program you use so you can limit your search.
Sweet. I found out a bit late (staying on top of everything is insane), however I definitely want to start using this in my forensic investigations. Now I know I said you can do something similar with a memory dump, but you won't always get that memory dump. Plus, well... you only grab what was in memory-- which granted is A LOT but its not everything. AND if you have both you can find discrepancies and further build on your investigation. There is power in corroboration!
I hope everyone had a wonderful Turkey Day and to all those attempting a Black Friday-- best of luck. I will be busy snoozing ^_^
No comments:
Post a Comment