Thursday, September 22, 2005

Visualization

I've started to see that this issue of "timeline analysis" really isn't one of getting data as much as it is one of visualization. Graphically representing data in some manner for presention it to the audience, can be very powerful. It's been said that a "picture is worth a thousand words", and in many cases, this is true. So, the question becomes, how does one best present a timeline of activity on a system?

For starters, let's simply consider any system. One would hope that any solution would provide for mulitple systems, with the Windows host-based data sources having been covered in previous posts. We could incorporate firewall logs, logs from other systems, syslog, etc., all under the same case heading. There would need to be some sort of normalization process, of course, before the data was incorporated into a database. Along these lines, I'd met with the MountainWave folks many moons ago, in a previous life (...once, in a galaxy far, far away...), before they were purchased by Symantec. Their CyberWolf product was pretty cool, and performed normalization of logs, in a manner similar to what I'm referring to here.

Okay...so once you've populated your database, what next? Ah, yes...queries.

For presenting your data, there are many freeware visualization toolkits available, such as VTK, OpenDX, and GraphViz...but how useful are these...really? Well, GraphViz may have some potential.

One of the commercial tools I've been told is being used is CaseMap from CaseSoft. From what I've been told, though, getting the data into CaseMap can be almost as much of a manual process as Analyst's Notebook. A caveat, though...I haven't worked a great deal with either of these products, so I don't know if the issue of manually entering data is one of operator error or not.

This is all still kind of up in the air...how do you present the data? I think that culling information from a database and presenting a scalable view is still a viable option. The analyst can choose a date and time, and the tool will provide a zoomable view of the data, much in the same way as when you do a search on

4 comments:

Jesse Kornblum said...

I have to say that "culling information from a database and presenting a scalable view is still a viable option," is without question the most viable option. I'd like to see a time line for starters. We can always add on more bells and whistles.

Jake Talon said...

Use the KISS model to start, then worry about wizbang.

I think you need to consider [i]why[/i] visulization is desired in the first place.
Is it to impress people at presentations or to win a court case?
Is it to give the investigating team the big picture for documenting the case or to try and describe and event?
Is the scale of the timeline local to a computer or can it span over multiple system across the globe?
Who is the audience? Techs who wants DNS details and hex outputs?

Keydet89 said...

Use the KISS model to start, then worry about wizbang.

Agreed. That's why I was thinking, dump everything to database, then run queries. A simple query would be for all time entries within a 2 minute (arbitrary size) window of a specific time.

I think you need to consider [i]why[/i] visulization is desired in the first place.

To wade through scads and scads of data quickly...and accurately. Simply considering the numbers of sources for time data on a Windows system, there are a lot of places to check and a great deal of data to correlate. Having the ability to plot, say, the creation of files and Registry keys on a time line, and then move a slider bar back in time to view failed login attempts from the Event Log...

Diana said...
This comment has been removed by a blog administrator.