Tuesday, March 30, 2010

Timeline Analysis Part 4 : Timescanner

In our last episode of Timeline Analysis, we covered the magic that is “log2timeline”…thank you Kristinn! The question I left y’all with (remember, I do live in Oklahoma) is, “How great would be if we had a tool that would leverage the log2timeline-y goodness, but not require you to feed it the local system logs”? I told you such a tool existed, and told you it was called, “Timescanner”. In this post, we will cover this tool.

Timescanner is another tool written by Kristinn, and does exactly what we talked about…it searches the target (either live file system, or mounted forensic image) and searches for the types of log files supported by log2timeline. It then parses those files and add them into the body file, which we would ultimately use to generate our timeline. Let’s take a look at how the tool works.

Again, this is a Perl script written natively in Linux. Getting it working on my Windows XP box with Active Perl 5.10.1 was no proverbial walk in the park. It only took me a few hours of updating perl modules (.pm)s and various other dlls. One thing you will absolutely need to install in “WinPCAP”. Before even starting to try to get all of the pms for Timescanner, go grab it and install it. It will save you some headaches in the long run.

Recall from my last post, that whenever you run a Perl script for the first time, it’s a good idea to determine which modules you may need to load. So to do this…you might try something like this…

C:\tools\log2timeline> more timescanner (If you prefer, can you just open the script with any text editor)

This will give you a full text listing of the Perl script, but the section we are really interested in is this…

Now, this is not to say that these are ALL of the .pms you will need, but making sure these are installed properly will minimize the amount of tweaking you will have to do to get the scrip working.

Once you have your .pms loaded, you care ready to kickoff Timescanner.

The syntax is pretty basic and will look like this…

C:\tools\log2timeline> perl timescanner –d C:\

I skipped the –z option for timeZone, since I am in the central time zone, and I don’t need to make any modifications. However, if you are working a case in one timezone, and your evidence is from a different timezone, this will be a useful option. To see which timezones are supported, simply use this command…

C:\tools\log2timeline> perl log2timeline –z list

OK…so really…all you have to do it run this command…

C:\tools\log2timeline> perl timescanner –d C:\ > bodyfile4

..and timescanner will do the rest! Then, you simply use mactime again to generate the timeline and you will have added to your timeline, all supported log file types from the target drive/image!

Here is a snippet of my timeline…

Here you can clearly see my actions for the day! From what news I was reading from the BBC to creating the file I am using to write this blog entry…all right there!

So, what’s even cooler is that I now have a file that is also fully searchable!

Let’s say I wanted to see the activity from May 11th, or May 10th? Or what about hits for certain keywords like “pinball” or “DEFCON”? Well, just use grep and you can find them right away! Like so…

Now, the screenshot I provided above from MS Excel has been slightly modified to enable you to see the full paths of what Timescanner will report on. I simply highlighted the fields I did not want to see, right clicked on them, and selected “hide”. To get them back, just right click and select “unhide”.

So now, all you would have to do to create a Super Timeline is to simply use the same bodyfile as your output for each of the tools, then use that bodyfile as the input for mactime. It should be noted that this entire process, from the first time you run FLS, to the final compilation of the timeline with mactime, should take less than an hour. So as an investigator, what is that worth to you in terms of how quickly you can generate a full timeline of your suspect system and how much data is actually available to you? My answer is, “a whole freaking lot”!

If you are one of those investigators who are constantly on the search for a “silver bullet”, then I am sorry to disappoint you, but this is not it. There is not “Forensicator Pro” (hehe….thanks for the good joke though Ovie/Brett), there is no “Find All Evidence” button, and “X” never ever marks the spot. What this WILL do for you is give you a clear snapshot of the status of the system at any given, and stored, point in time. It is a tool for generating data points by which you can build your theory of the incident based on the available evidence. Tools should never replace sound logic, forensic methodology, and due diligence.

In addition to my instructions provided on my blog, these tools (and many others) are precompiled and freely available in the SIFT Workstation v2.0. It is a FREE VM image that can be downloaded from the SANS website that I’m certain you will find very very useful. A word of warning though, this image is Linux based, so if you are not comfortable using the command line…well…you need to get that way. May of the more powerful tools out there do not have GUIs, and for good reason. There is no joy or glory is being a “push button Monkey”…and frankly, you can be a very thorough investigator if all you know how to do is click on buttons predefined by somebody else. No offence to anyone, but if you truly want to get better at being a forensic investigator, you really need to become comfortable with the command line.

Hmmmm….sounds like another idea for a blog series?!?!?!


  1. Chris,

    Under what conditions would you recommend running timescanner to automagically get everything that can be...uh...gotten?

    For example, I recently had an engagement that ended up involving SQL injection, w/ the web and db server on the same system. In this case, a timeline consisting of file system metadata and selected web server logs served to provide me something close to "doskey /history", but with time stamps. In other cases, I've done analysis by generating a micro-timeline, using only specific event records from one of the Event Logs.

    Particularly on a multi-user system, when would it be beneficial to get everything? When would it not be beneficial to do so?

  2. Thank god for grep -v. If you don't need an artifact, grep it out. Also, timescanner can be utilized to be more discerning if you like it to be ignore certain artifacts or only scan for certain artifacts.

  3. Harlan...in my limited experience using these tools in conjunction with one another to generate what Rod calls a "Super Timeline", the real benefit I have seen is where the customer either doesn't know what I am supposed to be looking for, or doesn't want to tell me. If my marching orders are to "find evil", and I have nothing else to go on, then gathering every log I can will hopefully provide me with a lead somewhere to give the investigation some clear direction.

    Now, like you and I have talked about many times, I would try to push back on the customer until I could get something...some kind of idea what I am looking for or when the incident likely occurred. Sometimes this works and sometimes it doesn't. Sometimes customers are just plain difficult or sometimes they just flat out don't know.

    It's not that bad though...having all of the data. I mean, you can parse it easily with the command line, so while your final timeline.csv may be pretty big, based on your searching...like Rob said...grep -v, or grep -o, you cal pretty quickly pull out JUST want you want to see.

  4. Chris,

    I simply prefer to take the opposite approach, and I definitely do not get any value from adding all Registry key LastWrite times from hive file to my timeline. I've worked on a number of timelines where there was no great value in doing this, but instead the value came from specific entries (ACMru, RecentDocs, UserAssist, Terminal Server Client) - adding less than 10 entries to the timeline was much more useful than adding all of the LastWrite times from the hive file.

    In addition, knowing that the ACMru\5603 key was modified is not nearly as valuable as knowing that as well as what search term was entered.

    Adding data as needed has worked much better for me. If a system in infected, I don't want to load up a timeline with AV logs saying that the AV was successfully updated and that scans didn't find anything...I'll just make a note of that in my case notes. Why add it to the timeline and then remove it?

    I've been working on some analysis involving systems with 70+ (one system had 78 profiles) users...adding all of those profiles, along with the web server and FTP server logs would make the timeline unmanageable, so getting to the point where I could start removing things would take quite a bit of effort. I had some idea of what I was looking for going into the analysis, and knew what I needed...and was able to not only conduct the analysis, but was able to provide something understandable to other analysts in a timely manner.

    If a consultant walks away from the table with nothing more than "find evil" from the customer, and doesn't try to do anything to narrow that down (timeframe, specific user, specific activity, etc.), then a lot of time is going to be lost and 'eaten' by the consulting firm.

  5. Harlan...I totally agree, and that sounds like a much better approach. So I guess what I need to do is figure out a formula or matrix of which reg keys to add the lastwrite times from. Maybe having a means to say...extract the last write times for THESE keys...do you have RR plugin for that?

  6. Some nice pointers on importing and sorting this data here:


  7. Hey, I am trying out timescanner and I get these errors:
    Unable to open /mnt/mntpt/$Extend/$ObjId
    Unable to open /mnt/mntpt/$Extend/$Quota
    Unable to open /mnt/mntpt/$Extend/Reparse
    Unable to open /mnt/mntpt/$Extend/UsnJrnl
    Unable to open /mnt/mntpt/$Secure


  8. @Sketchymoose...Need some more information. Are you running on Windows or on Linux? Is the target data Windows or Linux? When are you experiencing this error (ie...during timeline creation or when you are trying to view the output)?

    From the looks of the error, it looks like it might be a permissions issue with Linux. That is a pretty common error when an object is either not present, or you don't have the proper permissions to access it.