Monday, June 21, 2010

Timeline Spikes

I was playing with the output from The Sleuth Kit's FLS (great tool for making timelines) timelines this morning, and I was thinking about file system activity. Would a spike in activity mean something? Would a reduction in activity mean something? Could these deviances from "normal" activity be easily identified? If they were identified, could you determine the root cause more quickly? are the commands to parse your timelines to show you exactly that...

To see file system activity represented numerically:

Strings timeline.csv | grep –i | grep –i | gawk “{print $3}” | sort | uniq –c

This command will show you the days of that month, sorted numerically, with a count of the number of hits on that day to the left. This will show both spikes and lulls as well as letting you get a feel for what “normal” file system activity looks like.

You can also see which files were created on a certain date:

Strings timeline.csv | grep –i , | grep –i | grep –i “...b,r”

This command will show you all of the files “birthed” on that month. You can also drill down to the day by adding a grep for the specific day...which is actually easier since the format in the timeline is a contiguous . Or you can pull out a specific directory by adding the path to the end of the this:

Strings .csv | grep –i | grep –i | grep –i “...b,r” | grep –i system32

One thing that I have noticed in my experience with timelines is that nefarious activity (like file creations, and download activity) is that it occurs in clusters. When I review my timeline, I will see the bad guys dumping say three or four files onto the target system (usually in the %windir% or %windir%\system32 directories. So would this activity register as a spike in "normal" activity? What if you added the Event logs into the timeline with Log2Timeline? Would additional statistical information becmore more clear by simply looking at the numerical count for activity on a specific date?

I know that this is a really short blog post...sorry...been REALLY busy lately, but I hope that it shows you the possibilities that are available to you when you use the command line and your brain. Timelines are really really useful pieces of data!


  1. Before we look for deviations from 'normal' activity, we need to understand what 'normal' is. Depending on the version of Windows (XP vs 2003, etc) and what applications are installed (Java, iTunes, Adobe, etc.), spikes in file system activity could be completely normal.

    Also, consider timestomp-ish activity...files placed in the system32 directory and their MAC times are actually copied from kernel32.dll or some other file. These will skew your results, while being essentially 'correct' (with respect to the $STANDARD_INFORMATION attribute).

    Going back to what may have been the impetus of the post, if you're faced with a case where you're trying to determine if there was any malicious activity or malware on the system (or conversely, prove a negative, ie, there is no malware on the system), then you still have defined goals that can be addressed through a comprehensive process. Hit the mounted image with a couple of AV scanners, and then do all those things that you have in your malware process, and provide your findings at the end.

  2. Pardon - are there typos in the commands above? Specifically the 'grep -i | grep -i' and the 'grep -i, | grep i' portions?