Friday, July 16, 2010

Stop, Children, What’s That Sound?

In a previous post, I outed myself as an unrepentant SANS cheerleader.  To expand a bit on that full disclosure, it would be appropriate to point out that I will be acting as Rob Lee’s teacher’s assistant for SEC408 at SANS Network Security 2010 which will be held in Las Vegas from September 20th through the 25th.  I have a passion for teaching and presenting so I’m looking forward to this opportunity.

With that out of the way, I recently completed both SEC408 and SEC508.  I won’t bother with a review of either course because you can guess what I thought of them.  I think the SEC408/508 material is some of the best digital forensics training that I’ve ever run across.   I consider SEC408 and SEC508 to essentially be two parts of the same class.  I would strongly encourage even those who are experienced forensicators to consider taking SEC408 before taking SEC508.  SANS has put together a very nice assessment test for people to determine what courses they would best benefit from.  While it’s entirely possible that someone could already have SEC408 knowledge and not need to take the course before 508, I learned quite a bit from the SEC408 course.

SEC408 provided me with additional knowledge in areas that I already had a pretty decent grasp of such as browser forensics.  It was an excellent class that helped me sharpen my edge in forensic fundamentals.  I consider SEC508 to be a transformational experience where I was given entirely new tools that I have been using with great enthusiasm now that I have them in my arsenal. The tool that I want to blog about today is what Rob Lee accurately calls the Super Timeline.

Making Use of a Super Timeline

I won’t go over how to create a Super Timeline since Rob has already covered that as a high level in on the SANS Forensic Blog. What I’ve been working on recently is how to best make use of the resulting timeline. I have also discovered some interesting artifacts that never occurred to me to consider as part of a timeline.

What I’ve learned is that creating a Super Timeline is only the beginning of timeline analysis.  Because the Super Timeline method captures so many time stamps, it is likely that a Super  Timeline will contain too many entries to manually review line by line especially if an examiner creates a timeline for an entire drive image.  The challenge is to be able to pin down what portions of that timeline are relevant to the examination at hand.

What I recommend is to use more tactical forensic tools to pull out specific dates and times that can then be viewed in greater detail by using the Super Timeline.  A classic forensic examination is one where an examiner is asked to determine whether someone removed information such intellectual property from a computer using methods such as email or a USB device.  The Super Timeline is an invaluable tool for this sort of examination, but you have to know where to look on the timeline to get the data of interest.  Tools that can help an examiner do this are tools such Digital Detective’s Net Analysis and HSTEX, Harlan’s Reg Ripper and keyword searching via spreadsheet programs such as Excel.

I like the Net Analysis and HSTEX combo and I’ve been using both tools for many years.  Craig Wilson was recently awarded a well deserved Forensic 4cast Lifetime Achievement Award.  An examiner can take the latest version of HSTEX and use it to extract web browser history from an image.  If it’s a Windows operating system that is being examined, the Internet Explorer history will be of great interest because the examiner can load the HSTEX results into Net Analysis and then filter on terms like “file” to show just file access entries or terms like “attach” to find evidence where files might be uploaded or downloaded from something such as web based email.  The examiner can then take the date and time information for specific events of interest and refer to the Super Timeline to get a clearer picture of the events that surrounded that point in time.

Harlan has been doing some great work in the area of registry forensic research and tool development. Harlan’s Reg Ripper tool is a one that every examiner should have in their tool box and it’s Harlan’s regtime.pl tool that provides registry date and time data in the creation of a Super Timeline.  For example, using the Reg Ripper tool to determine what types of USB devices have been connected to a system allows the examiner to then search for device specific keywords on the Super Timeline.

Super Timelines are designed to be loaded up into a spreadsheet such as Microsoft Excel.  These spreadsheets can also be used to help an examiner zero in on specific events through keyword searching. Keywords such as the word “USB” can be used to help determine when a USB specific event occurred in the timeline.

One of the added bonuses that I’ve discovered from using Super Timelines is that it’s shown me new artifacts to be aware of during an examination.  For example, while examining a recent Super Timeline I saw the last accessed times being updated .wav files for the sounds that are made when a USB device is inserted or removed.  It occurs to me that this is a valuable thing to keep in mind when trying to determine what a user did on a particular computer.  When a user interacts with an operating system GUI like Windows, certain actions can result in sound files playing and that can result in the last accessed time stamps of those files being updated.

Twitter Update

I have decided to create a separate unprotected Twitter account called @AFoDBlog for the blog which will be dedicated exclusively to alerting readers to new blog posts and to also pass along digital forensic content that I think will be of interest.  It’s intended to be a low traffic volume feed that emphasizes quality over quantity. Since it’s unprotected you can see what you are getting into before following it.

I use my protected @ericjhuber account to Tweet about digital forensics. I also use it to socialize with my fellow digital forensic examiners which might not be something that readers care to read about.  Most people continue to follow that account once they start reading it, but I have noticed that some unfollow it.  I assume it’s because they aren’t necessarily interested in reading Ken Pryor and me swapping patrol stories about being bitten by cop hating dogs.  I, of course, think this is riveting stuff, but I understand others might not see it that way.

4 comments:

  1. The challenge is to be able to pin down what portions of that timeline are relevant to the examination at hand.

    That's not entirely all that difficult, particularly if you're starting your examination by determining your goals. From there, you have an idea of what information you will want to include in a timeline.

    For example, I've used timelines to investigate SQL injection, and started with file system metadata and the SQLi entries from the web server logs. No Registry data, particularly not the user hives, as the intruder never got to the point of logging in.

    Rather than putting everything into a timeline and then sorting it out, I prefer to intelligently add data sources. For example, I will use evtrpt.pl to tell me if the Event Logs have any data of interest, prior to running evtparse.pl to add that information to a timeline. I don't use regtime.pl, as the SNR is pretty low. I definitely start with a list of default sources but won't add them if there's no reason to, as I want to focus on the task at hand, and not have to explain to others why there's irrelevant data in the timeline.

    Supertimelines are great tools...but in the end, just tools. If an analyst feels that they need to add everything to a timeline because they don't know what they're looking for, perhaps rather than adding everything, the thing to do is to sit back and figure out what your goals would be...

    ReplyDelete
  2. Great points, Harlan. You can use tools like log2timeline and others to be more precise in how you populate your timeline in the first place.

    ReplyDelete
  3. > These spreadsheets can also be used to help an examiner zero in on specific events through keyword searching


    Good post. Have you tried to use the advanced filters in excel to further examine supertimelines? I have found them to be useful since advanced filters enable you to apply filters using basic logic, such as and, or, and wildcards. This helps in hiding from view the information that may not be relevant at the time. For example, a filter can be applied to only display the Internet history for a certain day by creating a filter to include the date of interest and “IE history”. I have found filters useful in creating custom timelines from the super timelines.

    Just a note, the filter option in Excel only lets you select two variables but the advanced filters option provides you with a lot more variables than just two.

    ReplyDelete
  4. Thanks, Corey. I think that is one of the advantages of loading your Super Timeline into a program like Excel. You then have the ability to use the power of that program to pull out useful information.

    ReplyDelete