Saturday, March 20, 2010

Timeline Analysis Part 2 : The Registry in my last post on Timeline analysis, I showed you how to create a Bodyfile using The Sleuth Kit tool FLS. Then we used a second tool called mactime, to create the timeline in both csv and txt format.

Now, we are going to add the last write times from the registry keys from the NTUSER.dat, system, security, software, and SAM hives. These hives are located in:

C:\Windows\System32\config <-- All registry hives C:\Documents and Settings\ <-- NTUSER.dat file First, I used FTK Lite v2.6.1 to export my local hives and dropped them into my regtime directory. Regtime is a tool wrtten by Harlan Carvey, and is now part of the SANS SIFT Toolkit v2.0.

Now, in my example all of the hives are in my current working directory, but this does not have to be the case. If you are working from an image file, you can use the -r option in regtime to specify the full path to the hive this...

perl -m -r /Windows/System32/config/software

NOTE...the mount point would be something like /mnt/badguy_image if
you are using a linux system or the SIFT workstation, or Z:\Windows...blah blah blah...if you are using a Windows system.

So in the screenshot below, I simply parsing the system hive for you to see what it would look like.

Pretty cool, huh. NOW, what you can do is redirect the output from this command to the original bodyfile that you created using FLS. Now your timeline will include both the active file system (at least the metadata entries) and the last write times for all of the registry keys.

So, now if you recall from my previous post, I used mactime to generate the timeline. In this example, I would use this command... -d -b bodyfile > timeline.csv <-- This will generate an outfile that I can open with MS Excel or OpenOffice Calc -b bodyfile > timeline.txt <-- this will generate an outfile that is a flat text file. So now you can see from the screenshot below that I have file system metadata right next to last write times from the registry.

Just think about the impact to your cases! You have the ability to take a quick look at times when things are or had taken place, all at once in one clean csv file. So if the customer gives you a rough timeline regarding when the "incident" may have taken place, you can easily grep through the timeline for JUST that day, or a few days prior to the incident. If something or someone had done something nefarious, you will be able to see what files were created, and which registry keys were affected. Then, you should have a clear path to direct your investigation and gather more data to build your case.

Now you may be wondering, what about local log files? Stuff like the Windows event logs, or IE history? Fear not! In my next post I will cover how to incorporate those files into your super timeline as well! Nice!


  1. Chris,
    would you ever conduct Timeline analysis on a live system using fls or would you always us an image or F-Response to mount the system read only.
    I really want to ad timeline analysis to a scripted First Response toolkit but my main concern is altering the Live system under review.

  2. I actually just did this today and no modifications to the time stamps are made. The files themselves are not touched, the meta data is simply queried, and subsequently reported on. Same with the registry...the last write times on the keys are extracted and parsed into bodyfile format - the keys themselves are untouched.

    So, by running a timeline analysis on a live system, as long as YOU don't touch the files, the tools won't either. FLS, regtime, and log2timeline are safe.

    Great question though! In the case I am working now, the client was pretty jazzed that I was able to give them something so quickly. Granted, it wasn't a ton, but I was able to walk through the activities with an admin and identify which files and reg keys needed further analysis. Which is great, since while I was connected with F-Response and imaging with FTK lite, I had some time to kill.

    BTW...plug for F-Response...what a great freaking tool! ARE the miggity man!

  3. Hi Chris,
    I have been following your Timeline Analysis and wanted to try it on my school assignments but i can't find the tool called regtime with it dll file and perl script in a zip. Do you have any idea on where to find them. I tried downloading SIFT from SANS but the download are slow and everytime it will timeout.


  4. Fredrick...send me an email at and I will make sure you get the correct file.