Thursday, May 8, 2014

Creating a Timeline with The Sleuth Kit


The Sleuth Kit is a very powerful set of tools.  When performing a forensic exam dates and times are often the only way to prove who was behind the keyboard or to isolate the events leading up to a breach and attack.  One tool that the Sleuth Kit provides us is the ability to create a timeline that we can review with as a spreadsheet.  We are going to be using the same E01 (nps-2008-jean) file that we have been using in the other posts.  There are a few steps to making command lines with the Sleuth Kit.  The first is the ils command.

$ ils -em -o63 nps-2008-jean.E01 | tee nps-2008-jean.bodyfile

The ils command lists inode information.  With the -em options we are asking the machine to display all inodes in the partition and to display it in ASCII (mactime).  Finally, we used the linux | to push the output to another command, in this case we have used the tee command.  This command allows us to create a new file (which we have called nps-2008-jean.bodyfile).  The output of this new file looks something like what you see below, but much, much larger:

md5|file|st_ino|st_ls|st_uid|st_gid|st_size|st_atime|st_mtime|st_ctime|st_crtime
0|<nps-2008-jean.E01-$MFT-alive-0>|0|-/rr-xr-xr-x|0|0|33636352|1210717123|1210717123|1210717123|1210717123
0|<nps-2008-jean.E01-$MFTMirr-alive-1>|1|-/rr-xr-xr-x|0|0|4096|1210717123|1210717123|1210717123|1210717123
0|<nps-2008-jean.E01-$LogFile-alive-2>|2|-/rr-xr-xr-x|0|0|55738368|1210717123|1210717123|1210717123|1210717123
0|<nps-2008-jean.E01-$Volume-alive-3>|3|-/rr-xr-xr-x|48|0|0|1210717123|1210717123|1210717123|1210717123

We aren't going to be working directly with this file so lets continue with the process.  Next we will be using the fls command.  This command lists file information and just like the last command we will be outputting the data from this command to the same bodyfile.

$ fls -o63 -r -m "/" nps-2008-jean.E01 >> nps-2008-jean.bodyfile

We can see a very similar command here.  We still are still point the command to the correct partition and we are still using the -m option.  This time we have also added the -r option to look recursively at the file starting at "/" or the root directory.  We have used the >> in place of the | to append the output of this command to the same bodyfile that we created with the last command.

If you were to review the file now you would see the new data is very similar to the data generated with the ils command.  During the final step of creating the timeline we will be using the mactime command to interpret the bodyfile and generate a file that can be interpreted with Excel or a similar spreadsheet software.

$ mactime -b nps-2008-jean.bodyfile -d > nps-2008-jean.timeline.csv

In this command we are using the -b option allowing us to point the command at a file (like the bodyfile we created).  The -d option outputs the results of the mactime command to a tab delimited csv file.  We used the > to specify the name and location of the csv.  Why do we need this?  Lets take a look.  I am sing OpenOffice to view the file.


We can see that the mactime command has organized the dates and times into a chronological order making it very simple for us to see the relationship of events based on the location in the timeline.  If we look under the "Meta" column we can see the inode number making it easier for us to identify the files we are interested in or even display the contents of the file with the icat command easily.

$ icat -o63 nps-2008-jean.E01 17015
[General]
Display Name=Outlook Forms Redirector
Description=Redirects Exchange/Outlook forms to whichever of the two is running.
Path="frmrdrct.dll"
Entry Point=1
Client Version=4.0
Misc Flags=Disabled;NoUserEdit

[Exchange Client Compatibility]
Exchange Registry=1
Exchange Extension Key="Outlook/Exchange Forms Coexistence"

So it's pretty obvious that if dates and times are a key part of your investigation it may be very helpful to create a timeline.

No comments:

Post a Comment