From SleuthKitWiki
Revision as of 11:53, 26 October 2008 by Carrier (Talk | contribs)

Jump to: navigation, search

Creating a timeline of system activity will give an investigator clues regarding where to probe further. The timelines in The Sleuth Kit allow one to quickly get a high-level look at system activity, such as when files were compiled and when archives were opened. TSK allows you to generate timelines of activity from a variety of sources.


Many files and directories have times associated with them. The quantity and description of which depend on the file system type. For example, FFS and Ext2/3 file systems have a Modified, Accessed, and Changed time. Ext2/3 also has a deleted time. FAT stores the Written, Accessed, and Created time, although by spec the Created and Access times are optional and the Access time is only accurate to the day. NTFS has created, modified, changed, and accessed times.

Other logs and sources of data may also have temporal data. For example, event logs, system logs, the Windows registry, and document metadata. Having those in a single time line, along with the file system data, can help to reconstruct events.

Timeline Creation

At a high level, generation is a two step process. In the first step, temporal data is gathered from various data sources (such as file systems, registries, logs, etc.) and saved to a general format, which is described in fls. This step is done using the 'fls' tool in TSK or other tools, which are listed below. The second step is to sort and merge all of the temporal data into a single timeline. This step is done using the 'mactime' script in TSK.

Data Gathering

The primary method for collecting temporal data from file systems is to run fls with the '-m' flag. With version 1.X and 2.X of TSK, you also had to run the ils command to get all unallocated files, but that is no longer required.

The 'fls' command requires the '-m' argument with the '-r' flag to gather all files. This step walks through the directory hierarchy and outputs a line for each file in the file system. This command needs to be run for each partition in a disk image.

As an example, consider a Windows system with only one partition (that starts at offset sector 63):

# fls -m "C:/" -o 63 -r images/disk.dd > body.txt

An example of an OpenBSD system with two partitions could be:

	# fls -o 63 -f openbsd -m / -r images/disk.dd > body.txt
	# fls -o 3233664 -f openbsd -m /var/ -r images/disk.dd >> body.txt

The time skew of the system can also be taken into consideration during this step. Using the '-s' argument to 'fls', the body file can have the adjusted times so that the system is consistent with other servers.

NOTE: This replaces the actions of 'grave-robber -m' in TCT. The mac-robber tool (on the www.sleuthkit.org web site) can also be used to gather allocated file data on a mounted file system. 'mac-robber' is useful for file systems where tools do not exist (such as AIX jfs).

Any data with times can be converted to the format needed by mactime. I have created scripts to convert log files to the format before so that all data was in a single timeline.

Other scripts that are written to convert data to the mactime format include:

  • TODO

Timeline Creation

When all of the temporal data has been merged into a single file, the data can be sorted based on the times. The mactime program does that.

# mactime -b body.txt 2002-03-01 > tl.03.01.2002.txt

The above command generates a timeline of file activity from the previously created body.txt file for all activity starting in March. If the /etc/passwd or /etc/group files are known, they can be specified using the '-p' and '-g' flags. Otherwise the numerical values will be displayed. The '-z' flag can be used to specify the time zone.

# mactime -b data/body.txt -p data/passwd -g data/group 2002-03-01 > tl.03.01.2002.txt

The output format has changed slightly since the 'mactime' in TCT. The inode value is now displayed in a separate column. Previously it was not displayed.

Some example outputs of mactime will now be shown. The next two entries are for a deleted socket in an EXT2FS image:

Wed Mar 20 2002 16:56:12 0 ..c s/srwxrwxr-x 500 500 127 /tmp/socket1 (deleted)
                         0 ..c   srwxrwxr-x 500 500 127 <linux.dd-dead-127>

The first is the 'fls' entry and the second is the corresponding entry from 'ils'. While it may seem redundant to show both, many times 'fls' will not show the deleted file name because the entry has been reallocated. Therefore, just the 'ils' dead entry will appear and the investigator will not know the original path location.

The first 0 is the file size. The "..c" string means that this entry is for the "Change" value. The dots are replaced with 'm' or 'a' for other entry types (deleted entries are not created for EXT2FS). The next string is the file system mode. The entries from 'fls' will have the directory entry type first, followed by a slash and the mode from the inode entry. 'ils' entries will only have the inode mode. The next two are the UID and GID (or names if the group and passwd file are specified), followed by the inode. The final entry is the file name (or <IMG-dead-#> for unallocated inodes).

The next two are for file that is deleted, but the inode that the directory entry points to is deleted.

Fri Aug 23 2002 16:56:12 11 .a. l/-rw-r--r-- 0 0 34689 /tmp/file1 (deleted-realloc)
                         11 .a. -/-rw-r--r-- 0 0 34689 /etc/sysconfig/desktop  

This can be see because they are both entries for the deleted file (tmp/file1) and the allocated file (desktop), which have the same inode (34689). It can also be seen because the deleted entry has different values for the file type (l and -).

If you are going to include the resulting timeline in a document, then it maybe better to supply the '-d' argument to output in comma delimited format. The resulting timeline can then be imported into a spread sheet and included as a table.

The '-i' option to 'mactime' creates an index summary file, including how many hits were found per day or hour. Using '-d' with '-i' allows one to easily import data into a spread sheet that can be graphed to spot suspicious behavior.

# mactime -b data/body -d -i hour data/tl-hour-sum.txt > data/timeline.txt

The Zeitline tool also imports the same data format and has a more graphical display.


See also Ex-Tip: An Extensible Timeline Analysis Framework in Perl (Michael Cloppert)