Now, we are going to add the last write times from the registry keys from the NTUSER.dat, system, security, software, and SAM hives. These hives are located in:
C:\Windows\System32\config <-- All registry hives C:\Documents and Settings\
Now, in my example all of the hives are in my current working directory, but this does not have to be the case. If you are working from an image file, you can use the -r option in regtime to specify the full path to the hive file...like this...
perl regtime.pl -m
NOTE...the mount point would be something like /mnt/badguy_image if
Pretty cool, huh. NOW, what you can do is redirect the output from this command to the original bodyfile that you created using FLS. Now your timeline will include both the active file system (at least the metadata entries) and the last write times for all of the registry keys.
So, now if you recall from my previous post, I used mactime to generate the timeline. In this example, I would use this command...
mactime.pl -d -b bodyfile > timeline.csv <-- This will generate an outfile that I can open with MS Excel or OpenOffice Calc mactime.pl -b bodyfile > timeline.txt <-- this will generate an outfile that is a flat text file. So now you can see from the screenshot below that I have file system metadata right next to last write times from the registry.
Just think about the impact to your cases! You have the ability to take a quick look at times when things are or had taken place, all at once in one clean csv file. So if the customer gives you a rough timeline regarding when the "incident" may have taken place, you can easily grep through the timeline for JUST that day, or a few days prior to the incident. If something or someone had done something nefarious, you will be able to see what files were created, and which registry keys were affected. Then, you should have a clear path to direct your investigation and gather more data to build your case.
Now you may be wondering, what about local log files? Stuff like the Windows event logs, or IE history? Fear not! In my next post I will cover how to incorporate those files into your super timeline as well! Nice!