An automated timeline reconstruction approach for digital forensic
investigationsChristopher Hargreaves and Jonathan Patterson, DFRWS 2012
Original presentation at DFRWS:http://www.dfrws.org/2012/proceedings/DFRWS2012-p8.pdfOriginal paper:http://www.sciencedirect.com/science/article/pii/S174228761200031Xhttp://www.dfrws.org/2012/proceedings/DFRWS2012-8.pdf
2
Presentation
Introduction
Super TimeLine
Research Objectives
Generation of low-level events
Reconstruction of high-level events
Results and Future Work
Introduction - What is TimeLine?
A timeline is a way of displaying a list of events in chronological order.
• Visualization
3
DF TimeLines
A digital timeline can be defined as the representation of useful information relating to specific security event.
4
Carbone R, Bean 2011
Traditional DF TimeLines Problems
“Credibility”• Modification of timestamps during what can
be called “normal” user or operating system behavior
• Automated scanning tool
• File attribute manipulation program such as timestomp (Anti-forensics)
5
TimeLines Problems (cont.)
• BIOS and System Clock Setting
• Multi-user System
• Disabling of “Last Access Update” in the system – altering or creating a DWORD entry called NtfsDisableLastAccessUpdate with
the value of 1 in the key: “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\FileSystem “
Chow 2006
6
NTFS Unpopular Property
Time is recorded in two places
• $STDINFO Attribute
• $Filename Attribute
http://computer-forensics.sans.org/blog/2010/04/12/windows-7-mft-entry-timestamp-properties
7
Other TimeStamps Sources
• Event Logs
• Registry Files
• Internet History
• Email Files
• Recycle Bin\Recycler
• thumbs.db
• Logs
• Chat Logs
• Restore Points
• Internet / Network
• Capture Files
• Archive Files
8
Super TimeLine
One of the solutions to the shortcomings of traditional timeline analysis is expanding it with information from multiple sources to get a better picture of the events.
Guðjónsson 2010
9
Existing Super TimeLine Tools
• Timelines based on file system times
– e.g. EnCase, Sleuth Kit
• Timelines including times from inside files
– e.g. Cyber Forensic Time Lab (CFTL), Log2timeline
• Visualizations
– e.g. EnCase, Zeitline, Aftertime
10
Zeitline
Buchholz, F. & Falk, C., 2005. Design and Implementation of Zeitline: aForensic Timeline Editor. Digital Forensics Research Workshop.
12
Cyber Forensic Time Lab (CFTL)
Olsson, J. & Boldt, M., 2009. Computer forensic timeline visualization tool.Digital Investigation, 6(Supplement 1), pp.S78–S87.
13
Super TimeLine Problems
Super timeline often contains too many events for the investigator :
• to understand.
• to fully analyze.
• making data reduction.
• making easier method of
examining the timeline essential.
15
Guðjónsson 2010
Research Objectives
• Needs to provide a ‘gist’ - a ‘summary of activity on
the disk’.
• Need an event reconstruction tool that produces
‘human understandable events’.
• Needs to satisfy forensic requirements, particularly
traceability, repeatability.
• Needs to be extensible, i.e. allow the community to
Add.
16
Overview of PyDFT(Python Digital Forensic Timeline)
Two main stages:
• low-level event extraction
• high-level event reconstruction
17
“The research method in this case is the development of a software prototype chosen over a design-based approach”
Time Extractor
Generation of low-level events
19
Extractor Manager(file name, path, content)
Parsers(generate usable values )
Bridges(maps values)
Backing store for the low-level timeline
• internally in PyDFT, low-level events are implemented as a Python class.
• SQLite
– multiple advanced queries
– offer performance benefits
• Export to several other formats
21
SQLite DataBase
Three tables :
• Info (timeline tool).
• Events (main).
• Keydata (keys).
“SQLite database containing millions of low-level events”
22
Reconstruction of high-level events
• The approach is based on a plugin framework where each plugin “Analyzer” is a script that detects a particular type of high-level event
24
Pseudo Code of Analyzer
31
“ Only 22 analyzers implemented. Some examples of which include (User Creation, Windows Installation, Google Search, YouTube Video Access, Skype Call and USB Connected)”
USB Device Connection (Cont.)
Test Events:
• Trigger event :“Setup API entry for USB found (VID:07AB PID:FCF6 Serial:07A80207B128BE08)”
• “Setup API USBSTOR entry found”
• “USBStor details found in Registry”
• “Windows Portable Device entry found in Registry”
39
Visualizing high-level timelinesusing Timeflow
https://github.com/FlowingMedia/TimeFlow/wiki/40
Future Work
• More extractors including importing from
other tools.
• More complex analyzers.
• More Testing.
• More efficient Comparison method
• Parallel processing.
• Visualizations.
43