Saturday, June 13, 2009

Thoughts on Timeline Analysis

I was chatting with Chris Pogue (a fellow Syngress book author attending the SANS Forensic Summit) a bit over the past couple of days on the subject of Timeline Analysis, and had some thoughts that I wanted to throw out there and see what others thought about them...

Personally, I've been doing some pretty cool things with timeline analysis, incorporating not only file system metadata, but Event Log entries, data from the Registry, as well as the user's web browser history, etc. What this does is allow me to view events from several sources all in one place, giving me some context, but not all of the possible context. And this can be a LOT of data! I go through the process of creating a bodyfile, then a 5-field TLN format events file, and then a full timeline in ASCII, saving it in a text file. I've updated some of my code recently to allow me to re-run the events-file-to-timeline conversion tool and focus solely on a specific date range, down to a single day.

This is where we usually start talking about visualization...what's a good way to present this information in a graphic format so that the analyst can determine the answer to the question they're trying to answer? Perhaps better yet...IS there a good way?

When it comes down to presenting the data to the customer, I've never been a supporter of giving the customer all of the raw data (there are folks out there who think a 3300+ page report is a good thing!), and giving the customer a timeline graphic of ALL of the data really doesn't do a whole lot, either for them to understand what's going on, or for your professional credibility. That's where the knowledge and ability of the analyst come in, and you create a timeline that summarizes the important and relevant events for the customer.

So, how do you do this? Do you sift through the data, extracting all of the irrelevant stuff (ie, removing thousands of file last accessed events and replacing them with a single AV scan event, etc.) and dump it into some kind of program that will generate the timeline automatically, or is it something more of a manual process? (See the Resources section at the end of this post for some examples of how to create a graphic representation of a timeline that can be added to reports.)

At this point, I'm of the opinion that this is still largely a manual process. While timeline creation and analysis has been automated to some degree through the use of tools, the fact is that there's currently no automated "sausage grinder" that you can drop an acquired image into and have it chug away and give you a full timeline. Just the file system metadata alone from one system can be cumbersome and overwhelming, particularly if you don't know what you're looking for. Lets say that you automatically add the Event Log entries to the timeline...but what if the Security Registry hive shows that the type of auditing you're looking for (successful login attempts) wasn't enabled, and a scan of the Event Logs shows that the events do not cover the dates in question anyway? If this is an automatic process, you've now got a lot of extra, albeit irrelevant, data.

What about context? Not all context of the events is visible in a some cases, a recent modification date on a file isn't as important as what was added (or removed) from the file. Or you may have two events...a USB removable storage device plugged into the system and shortly thereafter, a Windows shortcut/LNK file created...and the valuable context of the correlation between the two events is in the path information and volume ID embedded in the LNK file.

In a way, this discussion brings us back around to the basic idea of the skill and knowledge of the examiner/analyst. Lets say an analyst responds to an incident, and goes on-site to find four desktop systems that had been powered down and taken off of the network. One analyst might look at this, remove the drives, and image them with the pair of Vooms he has in his jump kit. Another might hook each drive up to a write-blocker and acquire logical images of each partition. Yet another responder might boot each system, log in as Administrator, acquire volatile data, and then perform live acquisitions. Given this kind of disparity across a single response, how does an analyst then "correctly" decide which information needs to be included in a timeline for analysis, and then determine the context of the data?

IMHO, this all comes down to training and experience. Training specifically in this topic needs to be available, followed by guidance and mentoring. Cheatsheets need to be available to remind folks about what's available, why and how the data is important, and then within organizations and labs, there needs to be some kind of peer review.


How to create a timeline in Excel (free templates)
Free SmartDraw Timeline Software


Anonymous said...

I've only investigated one intrusion before (and it was Linux) so if this obviously won't work, you know why. :)

What about creating a list of important parts of the timeline, similar to what you did with RegRipper. For example, with the registry, new programs set to automatically run on boot would certainly be important. With Event Logs, maybe X amount of failed logins in X minutes, or the Firewall/AV software being disabled, etc. With file system activity you can get files of interest from AV logs, or new RUN keys, new programs in system32/ etc.

Then you could create a timeline with different colored lines representing each type of log, and somehow highlight on each line the important events. Because, as you know, an incident is a series of adverse anomalies, hopefully you'd have highlights grouped somewhat close to each other letting you zero in on the incident.

ecophobia said...

I believe the link to "Free SmartDraw Timeline Software" is in fact "7 day" trial version. It is currently on special for $197.

Rob Lee said...

You talk about training for Timeline Analysis. The SANS SEC508 (Computer Forensics, Investigation, and Response) teaches full timeline analysis including file and registry. We dedicate a full half day to the introduction on Day 2 ( and we have exercises throughout the rest of the week. We have been teaching timeline analysis since 2001 when I first wrote

Timeline analysis is wonderful for casework.

--Rob Lee

H. Carvey said...

@Anonymous -
With Event Logs, maybe X amount of failed logins in X minutes, or the Firewall/AV software being disabled, etc.

"X amount of failed logins in X minutes" isn't an event or point in time.

With file system activity you can get files of interest from AV logs, or new RUN keys, new programs in system32/ etc.

I'm not sure how file system activity will give you "new Run keys", and the autostart programs are values in the Run key, NOT "new Run keys".

@ecophobia - Okay, so it's 7 days you get to try it out.

@Rob - That's a great start, but how about adding Event Logs? And rather than grabbing *all* Registry key LastWrite times, how about the ones of interest or that are important to the analysis? How about INFO2 contents, Prefetch files, etc.? I agree that you provide the training, there's no question about that...what I'm saying is needed is more training so that more analysts can take this plethora of data and be able to decide what's important to their analysis.

Rob Lee said...

@Harlan - Agreed. I do bring that up in class that there is much more you can do with it. For example, Mike Cloppert was in class when he heard me suggest folks build a timeline tool that pulls in other events. That tool became ex-TIP which you can find the paper on at the SANS Whitepapers for Forensics at

As for as I know this is the only course that even has it as a primary focus. With the next release of the SIFT workstation expect even more tools that can accomplish parsing elements that you mention.

You want expanded training? Keep your eyes peeled on the updates coming to SEC508.


Rob Lee said...

If people want to see a "How TO" on doing basic timeline work, check out this link. This uses tools built in the SIFT Workstation.

And the registry tools were built by none other than Mr Carvey himself then modified to run on the SIFT Workstation.

H. Carvey said...

@Rob - clicking the link leads to "File Not Found".

For HowTos on how to add other data to a timeline, keep you eyes on this blog, as well as on Hakin9 magazine.

Anonymous said...

This is the link?

Anonymous said...

"X amount of failed logins in X minutes" isn't an event or point in time.

True, there might be a little automated analysis involved, but I would think if you put the data in a SQLite database queries like that would be easy.

I'm not sure how file system activity will give you "new Run keys", and the autostart programs are values in the Run key, NOT "new Run keys".

What I meant was you could enumerate the most recent value of the Run key (thanks for the correction) to help get files of interest.

You could have a multi-line chart of X type of timeline activity, and on top of that you could have a scatter plot layer highlighting important events.

Basically a graph similar to this which was created using ChartDirector:

In theory, it would create a vertical line of scatter points along the relevant lines. Whether it would really work in practice, I don't know.

Kristian Erik Hermansen said...

Check out ArcSight ;-)