Difference between revisions of "Timelines"

From SleuthKitWiki
Jump to: navigation, search
(Created iniital page. Needs workk to merge with ref_timeline.txt.)
 
 
(3 intermediate revisions by one user not shown)
Line 1: Line 1:
Creating a timeline of system activity will give an investigator clues regarding where to probe further.  TSK allows you to generate timelines of activity from a variety of sources.  
+
Creating a timeline of system activity will give an investigator clues regarding where to probe further.  The timelines in [[The Sleuth Kit]] allow one to quickly get a high-level look at system activity, such as when files were compiled and when archives were opened. TSK allows you to generate timelines of activity from a variety of sources. [[Autopsy]] allows you to also create timelines using the TSK tools.  
  
NOTE: This page is a work in progress. TSK comes with a reference doc on timeline creation, that needs to be updated or merged with this page: [http://www.sleuthkit.org/sleuthkit/docs/ref_timeline.txt http://www.sleuthkit.org/sleuthkit/docs/ref_timeline.txt].
 
  
= Overview =
+
= Background =
At a high level, generation is a two step processIn the first step, temporal data is gathered from various data sources (such as file systems, registries, logs, etc.) and saved to a general format, which is described in [[fls]]This step is done using the 'fls' tool in TSK or other tools, which are listed below. The second step is to sort and merge all of the temporal data into a single timelineThis step is done using the 'mactime' script in TSK.  
+
Many files and directories have times associated with themThe quantity and description of which depend on the file system type. For example, FFS and Ext2/3 file systems have a Modified, Accessed, and Changed timeExt2/3 also has a deleted time. FAT stores the Written, Accessed, and Created time, although by spec the Created and Access times are optional and the Access time is only accurate to the dayNTFS has created, modified, changed, and accessed times.  
  
= Data Gathering =
+
Other logs and sources of data may also have temporal data. For example, event logs, system logs, the Windows registry, and document metadata. Having those in a single time line, along with the file system data, can help to reconstruct events. You can create or find tools to save temporal data to the [[body file]] format.  
The primary method for collecting temporal data from file systems is to run [[fls]] with the '-m' flag. With version 1.X and 2.X of TSK, you also had to run the [[ils]] command to get all unallocated files, but that is no longer required. See [http://www.sleuthkit.org/sleuthkit/docs/ref_timeline.txt] for more details.  
+
  
 +
 +
= Timeline Creation =
 +
At a high level, generation is a two step process.  In the first step, temporal data is gathered from various data sources (such as file systems, registries, logs, etc.) and saved to the [[body file]] format.  This step is done using the 'fls' tool in TSK or other tools, which are listed below. The second step is to sort and merge all of the temporal data into a single timeline.  This step is done using the 'mactime' script in TSK.
 +
 +
 +
== Data Gathering ==
 +
The primary method for collecting temporal data from file systems is to run [[fls]] with the '-m' flag. With version 1.X and 2.X of TSK, you also had to run the [[ils]] command to get all unallocated files, but that is no longer required.
 +
 +
The 'fls' command requires the '-m' argument with the '-r' flag to gather all files.  This step walks through the directory hierarchy and outputs a line for each file in the file system.  This command needs to be run for each partition in a disk image.
 +
 +
As an example, consider a Windows system with only one partition (that starts at offset sector 63):
 +
<pre>
 +
# fls -m "C:/" -o 63 -r images/disk.dd > body.txt
 +
</pre>
 +
 +
An example of an OpenBSD system with two partitions could be:
 +
<pre>
 +
# fls -o 63 -f openbsd -m / -r images/disk.dd > body.txt
 +
# fls -o 3233664 -f openbsd -m /var/ -r images/disk.dd >> body.txt
 +
</pre>
 +
 +
 +
The time skew of the system can also be taken into consideration during this step. Using the '-s' argument to 'fls', the body file can have the adjusted times so that the system is consistent with other servers.
 +
 +
NOTE: This replaces the actions of 'grave-robber -m' in TCT.  The [[mac-robber]] tool (on the www.sleuthkit.org web site) can also be used to gather allocated file data on a mounted file system. 'mac-robber' is useful for file systems where tools do not exist (such as AIX jfs).
 +
 
Any data with times can be converted to the format needed by mactime. I have created scripts to convert log files to the format before so that all data was in a single timeline.  
 
Any data with times can be converted to the format needed by mactime. I have created scripts to convert log files to the format before so that all data was in a single timeline.  
  
 
Other scripts that are written to convert data to the mactime format include:
 
Other scripts that are written to convert data to the mactime format include:
* TODO
+
* Add here...
 +
 
 +
 
 +
== Timeline Creation ==
 +
When all of the temporal data has been merged into a single [[body file]], the data can be sorted based on the times.  The [[mactime]] program does that.
  
 +
The [http://projects.cerias.purdue.edu/forensics/timeline.php Zeitline] tool also imports the same data format and has a more graphical display.
  
= Timeline Creating =
+
= Other =
Add content here about using mactime, or refer to the [http://www.sleuthkit.org/sleuthkit/docs/ref_timeline.txt] file.
+
See also [http://www.sans.org/reading_room/whitepapers/forensics/32767.php Ex-Tip]: An Extensible Timeline Analysis Framework in Perl (Michael Cloppert)

Latest revision as of 13:51, 26 October 2008

Creating a timeline of system activity will give an investigator clues regarding where to probe further. The timelines in The Sleuth Kit allow one to quickly get a high-level look at system activity, such as when files were compiled and when archives were opened. TSK allows you to generate timelines of activity from a variety of sources. Autopsy allows you to also create timelines using the TSK tools.


Background

Many files and directories have times associated with them. The quantity and description of which depend on the file system type. For example, FFS and Ext2/3 file systems have a Modified, Accessed, and Changed time. Ext2/3 also has a deleted time. FAT stores the Written, Accessed, and Created time, although by spec the Created and Access times are optional and the Access time is only accurate to the day. NTFS has created, modified, changed, and accessed times.

Other logs and sources of data may also have temporal data. For example, event logs, system logs, the Windows registry, and document metadata. Having those in a single time line, along with the file system data, can help to reconstruct events. You can create or find tools to save temporal data to the body file format.


Timeline Creation

At a high level, generation is a two step process. In the first step, temporal data is gathered from various data sources (such as file systems, registries, logs, etc.) and saved to the body file format. This step is done using the 'fls' tool in TSK or other tools, which are listed below. The second step is to sort and merge all of the temporal data into a single timeline. This step is done using the 'mactime' script in TSK.


Data Gathering

The primary method for collecting temporal data from file systems is to run fls with the '-m' flag. With version 1.X and 2.X of TSK, you also had to run the ils command to get all unallocated files, but that is no longer required.

The 'fls' command requires the '-m' argument with the '-r' flag to gather all files. This step walks through the directory hierarchy and outputs a line for each file in the file system. This command needs to be run for each partition in a disk image.

As an example, consider a Windows system with only one partition (that starts at offset sector 63):

# fls -m "C:/" -o 63 -r images/disk.dd > body.txt

An example of an OpenBSD system with two partitions could be:

# fls -o 63 -f openbsd -m / -r images/disk.dd > body.txt
# fls -o 3233664 -f openbsd -m /var/ -r images/disk.dd >> body.txt


The time skew of the system can also be taken into consideration during this step. Using the '-s' argument to 'fls', the body file can have the adjusted times so that the system is consistent with other servers.

NOTE: This replaces the actions of 'grave-robber -m' in TCT. The mac-robber tool (on the www.sleuthkit.org web site) can also be used to gather allocated file data on a mounted file system. 'mac-robber' is useful for file systems where tools do not exist (such as AIX jfs).

Any data with times can be converted to the format needed by mactime. I have created scripts to convert log files to the format before so that all data was in a single timeline.

Other scripts that are written to convert data to the mactime format include:

  • Add here...


Timeline Creation

When all of the temporal data has been merged into a single body file, the data can be sorted based on the times. The mactime program does that.

The Zeitline tool also imports the same data format and has a more graphical display.

Other

See also Ex-Tip: An Extensible Timeline Analysis Framework in Perl (Michael Cloppert)