Difference between revisions of "Timelines"
(Created iniital page. Needs workk to merge with ref_timeline.txt.) |
(Added zeithline and ex-tip links.) |
||
Line 17: | Line 17: | ||
= Timeline Creating = | = Timeline Creating = | ||
Add content here about using mactime, or refer to the [http://www.sleuthkit.org/sleuthkit/docs/ref_timeline.txt] file. | Add content here about using mactime, or refer to the [http://www.sleuthkit.org/sleuthkit/docs/ref_timeline.txt] file. | ||
+ | |||
+ | The [http://projects.cerias.purdue.edu/forensics/timeline.php Zeitline] tool also imports the same data format and has a more graphical display. | ||
+ | |||
+ | = Other = | ||
+ | See also [http://www.sans.org/reading_room/whitepapers/forensics/32767.php Ex-Tip]: An Extensible Timeline Analysis Framework in Perl (Michael Cloppert) |
Revision as of 10:03, 22 October 2008
Creating a timeline of system activity will give an investigator clues regarding where to probe further. TSK allows you to generate timelines of activity from a variety of sources.
NOTE: This page is a work in progress. TSK comes with a reference doc on timeline creation, that needs to be updated or merged with this page: http://www.sleuthkit.org/sleuthkit/docs/ref_timeline.txt.
Overview
At a high level, generation is a two step process. In the first step, temporal data is gathered from various data sources (such as file systems, registries, logs, etc.) and saved to a general format, which is described in fls. This step is done using the 'fls' tool in TSK or other tools, which are listed below. The second step is to sort and merge all of the temporal data into a single timeline. This step is done using the 'mactime' script in TSK.
Data Gathering
The primary method for collecting temporal data from file systems is to run fls with the '-m' flag. With version 1.X and 2.X of TSK, you also had to run the ils command to get all unallocated files, but that is no longer required. See [1] for more details.
Any data with times can be converted to the format needed by mactime. I have created scripts to convert log files to the format before so that all data was in a single timeline.
Other scripts that are written to convert data to the mactime format include:
- TODO
Timeline Creating
Add content here about using mactime, or refer to the [2] file.
The Zeitline tool also imports the same data format and has a more graphical display.
Other
See also Ex-Tip: An Extensible Timeline Analysis Framework in Perl (Michael Cloppert)