Tuesday, August 04, 2009

More work on Timeline Analysis

I saw that there's a new post over on the SANS Forensic blog about generating timelines for analysis by adding "alternative" sources of timestamped data. This post points back to Kristinn Guðjónsson's blog post about the log2timeline tool for creating timelines.

This is very similar to some of the stuff I've been working on, and it's great to see that there's more interest in creating timelines for analysis and answering questions.

Another cool thing about Kristinn's work is that its Perl-based! Sweet!

Speaking of Perl-based approaches to timeline creation, I received an email yesterday that contained a link to the Revealer Toolkit, or "RVT". This toolkit looks pretty promising, so be sure to take a look at the project page for downloads and news. RVT has its own newsletter/Google group, as well.

RVT is an interesting project. First off, there's the Perl aspect. Second, reading through the documentation, it appears that the authors came up with some similar thoughts along the same lines that I was thinking of when I started down this road; in particular, how to incorporate not just different sources of time stamped data from a single system (ie, file system, EVT files, Registry hives, etc.), but how to incorporate data from multiple systems, as well as other external sources.

Another interesting aspect of RVT is the ability to plot timelines in a graphical format. I'm having some trouble coming up with a means for plotting timeline data in a meaningful way, so that the analyst is not overwhelmed with raw data, but is instead able to glean some modicum of actual intelligence from the shear glut of information. For right now, the timeline tools I've developed are a very manual process, but there's a method to my madness...more about that later.


Troy said...

I would have thought timelining of all sources was a standard procedure. I do it on most cases, and I use file system, events, registry modifications, other logs, email, pretty much anything that is probative and has a date and time. The hardest part is normalizing the time stamps: UTC vs. local time, other time zones involved, etc.

I have always built my timelines in Excel, with columns for date, time, event description, and even source.

Keydet89 said...

I would have thought timelining of all sources was a standard procedure.

Not as I've seen. Also, these tools and methodologies assist with a great deal of automation.