Freaking Sweet! Sniper Foreniscs got picked up for the B-SIDES Security Conference in Las Vegas on July 28th and 29th...right before DEFCON! If you are going to be town for DEFCON, check it out!!!
Going to be at the 2810 Vegas Estate...Not too shabby!
This Blog is dedicated Digital Forensics and Incident Response, tools, techniques, policies, and procedures.
Monday, June 21, 2010
Timeline Spikes
I was playing with the output from The Sleuth Kit's FLS (great tool for making timelines) timelines this morning, and I was thinking about file system activity. Would a spike in activity mean something? Would a reduction in activity mean something? Could these deviances from "normal" activity be easily identified? If they were identified, could you determine the root cause more quickly?
Well...here are the commands to parse your timelines to show you exactly that...
To see file system activity represented numerically:
Strings timeline.csv | grep –i | grep –i | gawk “{print $3}” | sort | uniq –c
This command will show you the days of that month, sorted numerically, with a count of the number of hits on that day to the left. This will show both spikes and lulls as well as letting you get a feel for what “normal” file system activity looks like.
You can also see which files were created on a certain date:
Strings timeline.csv | grep –i , | grep –i | grep –i “...b,r”
This command will show you all of the files “birthed” on that month. You can also drill down to the day by adding a grep for the specific day...which is actually easier since the format in the timeline is a contiguous. Or you can pull out a specific directory by adding the path to the end of the command...like this:
Strings.csv | grep –i | grep –i | grep –i “...b,r” | grep –i system32
One thing that I have noticed in my experience with timelines is that nefarious activity (like file creations, and download activity) is that it occurs in clusters. When I review my timeline, I will see the bad guys dumping say three or four files onto the target system (usually in the %windir% or %windir%\system32 directories. So would this activity register as a spike in "normal" activity? What if you added the Event logs into the timeline with Log2Timeline? Would additional statistical information becmore more clear by simply looking at the numerical count for activity on a specific date?
I know that this is a really short blog post...sorry...been REALLY busy lately, but I hope that it shows you the possibilities that are available to you when you use the command line and your brain. Timelines are really really useful pieces of data!
Well...here are the commands to parse your timelines to show you exactly that...
To see file system activity represented numerically:
Strings timeline
This command will show you the days of that month, sorted numerically, with a count of the number of hits on that day to the left. This will show both spikes and lulls as well as letting you get a feel for what “normal” file system activity looks like.
You can also see which files were created on a certain date:
Strings timeline
This command will show you all of the files “birthed” on that month. You can also drill down to the day by adding a grep for the specific day...which is actually easier since the format in the timeline is a contiguous
Strings
One thing that I have noticed in my experience with timelines is that nefarious activity (like file creations, and download activity) is that it occurs in clusters. When I review my timeline, I will see the bad guys dumping say three or four files onto the target system (usually in the %windir% or %windir%\system32 directories. So would this activity register as a spike in "normal" activity? What if you added the Event logs into the timeline with Log2Timeline? Would additional statistical information becmore more clear by simply looking at the numerical count for activity on a specific date?
I know that this is a really short blog post...sorry...been REALLY busy lately, but I hope that it shows you the possibilities that are available to you when you use the command line and your brain. Timelines are really really useful pieces of data!
Thursday, June 3, 2010
Subscribe to:
Posts (Atom)