Tuesday, March 23, 2010

Timeline Analysis Part 3 : Log2timeline

In my last two posts we have covered how to use FLS to create a bodyfile of the active file system, and how to regtime.pl to integrate the last write times of the registry keys in the hive files into that bodyfile. Now, we are going to cover a great tool called, “Log2timeline” which is going to allow us to integrate local system logs such as the Windows event logs, browser history files, and anti-virus logs into our same bodyfile. Rob Lee recently posted about how to do this using the new SIFT toolkit v2.0 on the SANS Forensics blog.

I have not covered this before, so I will digress a bit into Perl and getting Perl scripts to run on your local machine. If you don’t have Active Perl installed, get it. It’s extremely useful and necessary if you want to run any sort of Perl scripts on your local machine.

Perl scripts have these things called Perl Modules or .pm files. They are sort of like dlls in that they are “chunks” of code which can be used over and over by different scripts instead of the developer having to rewrite that specific function. When you are going to run a new Perl script for the first time, you need to open the script in some sort of text editor and see which .pms the script is going to need. In the screenshot below, I just used the *nix command “more” to look at the first section of the script. Which reminds me, if you don’t have UnxUtils installed on your Windows box, you probably want to get that as well. It contains the Windows version of a slew of *nix commands that are again, extremely useful.
Here is the section of the code you want to look for…

If you don’t have these modules installed, there are a couple of ways to get them. First, you can use the command, “ppm” which stands for “Perl Package Manager” followed by the module name. So if say you wanted to add the “Time::localtime” module, your command would look like this…

C:\tools> ppm install Time::localtime

There are other times when you want to install the module from a specific URL. For example, the University of Winnippeg in Canada has a great site for installing different modules. In that case, your command would look like this…

C:\tools> ppm install http://cpan.uwinnipeg.ca/PPMPackages/10xx/.ppd

Now, be advised that this can be a total pain! Getting Perl scripts to work can involve a LOT of elbow grease…much like compiling source code on a Gentoo distro! Don’t fret though…all of the packages and dlls you need are available for free on the Internet. It just takes some time and patience. A word of warning…DO NOT try to cut and paste .pms in what you think are the right directory. It’s SO not that easy. Use the ppm command and find the right ppds. Google is your friend. =)

Once you have all of the Perl modules and dlls you will need to run your script, y
ou can proceed. Thus ends the mini Perl lesson.

Something else you will probably want to do (for conve
nience) is put your Perl distro into your path. This will prevent you from having to change directories to evoke Perl when running various scripts. This is pretty easy. Simply right click on “My Computer” and select “properties”. From there select the “Advanced” tab, and click on the “Environment Variables” button. In the “System variables” window, scroll down until you see the word “path”. Double click on the word “path” or simply highlight it and click on the “edit” button. From here you can add any directory you want into your path, with each entry separated by a semi-colon. Again, having these directories in your path will prevent you from having to actually be in that directory to launch whatever it is you are trying to run.

Download log2timeline and uncompress it into its own directory…I put mine inside my C:\tools directory creating a directory called, “log2timeline”. From the command line, you
can see which files are currently supported by log2timeline by issuing the following command as seen in the screenshot below.

So, for my example, I am going to parse my local Mozilla Firefox history file into bodyfile format. To accomplish this and for ease of use, I copied the file into my current working directory. This is not necessary though. I could simply provide the full path to the file. So, my command would simply be…

C:\tools\log2timeline> perl log2timeline –f firefox3 places.sqlite

Here is a snippet of the output…

Now, to make this part of our timeline, all we would need to do is redirect the output to our bodyfile, and parse it with mactime…like so…

C:\tools\log2timeline> perl log2timeline –f firefox3 places.sqlite > bodyfile3

C:\tools\log2timeline> perl C:\tools\TSK\mactime.pl –d –b bodyfile3 > timeline3.csv

And…when I open up the timeline with MS Excel, it looks like this…

Here you can see that I likely installed Firefox on December 11, 2009, and checked some stuff about Oklahoma State University (Go Pokes!), as well as Googling Boone Pickens Stadium (I was actually looking to a good seat for my season tickets for the 2010 football season). Anyway…using log2timeline can add an entirely new dimension to your investigations by giving you a one stop view of all of the system (Windows evt logs) and application logs.

Now if you come across a type of log file that is not currently supported, don’t worry. Since this is an open source script, feel free to write your own module for that specific type of log file. Or, if your Perl skillz are a bit lacking, you could contact Kristinn, and I bet he would write it for you (no promises).

So step back for a second and think about what I have covered in these last three posts on creating timelines. Using FLS, you can create a timeline of the meta data timestamps of the active file system. Then, using regtime.pl (a la Harlan Carvey), you can extract the last write times from the registry hive files, and include them in your timeline. Now add in log2timline, and you can now add in all of the local system and application logs. What you will have at the end is what Rob Lee calls, a “Super Timeline” that pretty much encompasses everything that has taken place on the machine that has been recorded by these various mechanisms. You can now search by date , or time, or application, or keyword, or whatever and get a quick snapshot of what was going on at that time, or with that application.

This is a HUGE development in our profession! Not only will this add speed and efficiency into your investigations, but it will provide multiple additional data points that will either help you solidify your working theory, or will provide the additional resources you will need to reshape your theory to fit the data. Pretty sweet huh!

So, now you may be saying to yourself…This is so great Chris! I want to buy you dinner! But determining which logs to include in my log2timeline commands is kind of a pain. And I have to hit up arrow like 17 times and change the type of log and the path. What would be really kewl is if there was some sort of tool that would search for me. It would take a path as input, then it would search for all of the log files supported by log2timeline, and parse those into my bodyfile. Well…I have some good news for you…there is just such a tool! It’s called, “Timescanner” and I will cover it in my next post!

No comments:

Post a Comment