Wednesday, July 07, 2010

More Timeline Stuff

I'll be at the SANS Forensic Summit tomorrow, giving a presentation on Registry and Timeline Analysis in the morning, and then participating on a panel in the afternoon. Over all, it looks like this will be another excellent conference, due to the folks attending, their presentations, and opportunities for networking.

I talk (and blog) a lot about timelines, as this is a very powerful technique that I, and others, have found to be very useful. I've given presentations on the subject (including a seminar last week), written articles about it, and used the technique to great effect on a number of investigations. In many instances, this technique has allowed me to "see" things that would not normally be readily apparent through a commercial forensic analysis tool, nor via any other technique.

One of the aspects of Windows systems is that there a wide range of data sources that provide time stamped events and indicators. I mean, the number of locations within a Windows system that provides this sort of information is simply incredible.

To meet my own needs, I've updated my toolkit to include a couple of additional tools. For one, I've created a script that directly parses the IE index.dat files, rather than going through a third-party tool (pasco, Web Historian, etc.). This just cuts down on the steps required, and the libmsiecf tools, mentioned in Cory's Going Commando presentation, does not appear to be readily available to run on Windows systems.

Parsing EVT files is relatively straightforward using tools such as evtparse.pl, and Andreas provides a set of Perl-based tools to parse EVTX (Event Logs from Vista and above) files. As an alternative, I wanted to write something that could easily parse the output of LogParser (free from MS), when run against EVT or EVTX files, using a command such as the following:

logparser -i:evt -o:csv "SELECT * FROM D:\Case\File\SysEvent.EVT" > output.csv

Keep in mind that LogParser uses the native API on the system to parse the EVT/EVTX files, so if you're going to parse EVTX files extracted from a Vista or Windows 2008 or Windows 7 system, you should do so on a Windows 7 system or VM. The output from the LogParser command is easily read and output to a TLN format, and the output from the script I wrote is identical to that of evtparse.pl. This can be very useful, as LogParser can be installed on and run from a DVD or thumb drive, and used in live IR (change "D:\Case\File\SysEvent.EVT" to "System" or "Application"), as well as run against files extracted from acquired images (or files accessible via a mounted image). However, keep in mind that LogParser uses the native API, so if sysevent.evt won't open in the Event Viewer because it is reportedly "corrupted" (which has been reported for EVT files from XP and 2003), then using evtparse.pl would be the preferable approach.

The next tool I'm considering working on is one to parse the MFT and extract the time stamps from the $FILE_NAME attribute into TLN format. This would undoubtedly provide some insight into the truth about what happened on a system, particularly where some sort of timestomping activity has occurred (a la Clampi). This will take some work, as the full paths need to be reassembled, but it should be useful nonetheless.

3 comments:

Anonymous said...

Totally agree. One thing I've found of great value is a tool (I use EnCase primarily so I wrote mine as an enscript) to search the entire exhibit for date/times (Win and UNIX numeric text) between any 2 specified date/times regardless of where they are - registry, MFT (SIA & FNA), everywhere.

Rgds,
James

Keydet89 said...

Wow, I think that would be a rather difficult task...

First, there are so many date formats that your code would need to be able to handle all of them.

Then, you have to keep in mind that not everything will be relevant...

Anonymous said...

Well, I've written 2 scripts to decode the standard Windows 8 byte date field and the other does UNIX text date/times you find in web pages (I think it is 10 chars). These are the very common for what I do and I think other formats would be easy to add - I'll add them as I need them :) This is the advantage of writing it yourself!

You put in the period of interest, start and end, down to the second, it turns these into numbers and it looks for all numbers on the exhibit between these values. Not too tricky in EnScript and it bookmarks the lot so you can quickly dump those in files of no interest leaving you MFTs, EVTs, registry files, live, RPs, VSS and UA.

Not my idea originally, it came from Lance's site and I wrote my own version (because his is EnPacked) and extended it. I'd be happy to share the source code - with the usual proviso about test it yourself and no warranty etc.

Rgds,
James