This blog is just to show some documentation related to timeline analysis and how much noise can happen on a Windows system just by performing simple activities in a short period of time. I know this has probably been documented many times in other places, however I wanted to see it for myself on a system that I could control.
It’s not the scope of this entry to demonstrate how or the best method of doing this (I do show the command lines and the steps taken). Timeline analysis is discussed in more details by other people much more prepared than I. Some examples:
Basically this is what I did:
1. Created a “gold” VM image of a Windows 7 64-bit install. Nothing else was installed, aside from the MS patches. This image was fully patched as of July 24, 2013.
2. Generate a HASH list of the image. This will be used later to understand what files were changed/added after the user activities. I also want to make it clear that no exploits or malware were used. This is simply user/OS activities being shown here.
sha1deep64.exe -rc J:\ > Windows7-64-bit-AllPatches-July24-2013.txt
3. Followed a list of activities and recorded the time. The activities happened between 20:36 and 21:07 EST5EDT, on July 26 2013.
4. After all activities were executed, the VM was suspended and a snapshot got created. I used FTK Imager to create a RAW DD like image of the VM.
5. Used the hash in point #2 to see what changed. I used sha1deep64 to make the comparison against the mounted image. Results can be downloaded at the end of this post.
6. The timeline analysis activities:
A. File system – I used fls from “TSK – The Sleught Kit” http://www.sleuthkit.org/sleuthkit/. I had to run it from a Linux distribution because the Windows version didn’t work for me. Didn’t bother spending time troubleshooting why it didn’t work since I had the other Linux VM running anyway. First step is to create the body file, so here it is the command I used to do that:
fls -m C:/ -f ntfs -i raw -r /mnt/image/Win7-VM.001 > /mnt/j/Win7-VM.001.body
After creating the body file, I used bodyfile.pl which is one of the TLN tools provided by Harlan Carvey (https://code.google.com/p/winforensicaanalysis/downloads/list):
bodyfile.pl –f Win7-VM.001.body –s WIN-HM1OUI8PPLE > FS_events.txt
The above file will be used later on to create the master timeline.
B. Event Logs – Extracted the main Windows logs, Application, Security, and System from the image. Here are the steps taken to extract the data into the TLN format.
i. Use LogParser from Microsoft and export to CSV:
LogParser.exe -i:evt -o:csv “select * from System.evtx” > system.csv
LogParser.exe -i:evt -o:csv “select * from Security.evtx” > security.csv
LogParser.exe -i:evt -o:csv “select * from Application.evtx” > Application.csv
ii. Use the “evtxparse.pl” Perl script to parse out the necessary event data into TLN format:
evtxparse.pl -f system.csv -t > sys_events.txt
evtxparse.pl -f security.csv -t > sec_events.txt
evtxparse.pl -f Application.csv -t > app_events.txt
C. Prefetch Files – The image was mounted using FTK imager, so I just pointed the pref.pl script to the mount point and the correct folder:
pref.pl -d J:\Windows\Prefetch -v -t -s WIN-HM1OUI8PPLE > prefetch_events.txt
D. Registry Data – Extracted all registry files from the image and created the timeline files using regtime Perl script. I used 2 user ID’s during the test. My own, “elias”, and the MS shipped “administrator”.
regtime.pl –m HKEY_USER –r NTUSER.DAT –s WIN-HM1OUI8PPLE –u elias > reg_elias_event.txt
regtime.pl –m HKEY_USER –r UsrClass.dat –s WIN-HM1OUI8PPLE –u elias >> reg_elias_event.txt
regtime.pl –m HKEY_USER –r NTUSER.DAT –s WIN-HM1OUI8PPLE –u ADMIN > reg_admin_event.txt
regtime.pl –m HKEY_USER –r UsrClass.dat –s WIN-HM1OUI8PPLE –u ADMIN >> reg_admin_event.txt
regtime.pl -m HKLM/SOFTWARE -r SOFTWARE -s WIN-HM1OUI8PPLE > reg_software_event.txt
regtime.pl -m HKLM/SYSTEM -r SYSTEM -s WIN-HM1OUI8PPLE > reg_system_event.txt
regtime.pl -m HKLM/SECURITY -r SECURITY -s WIN-HM1OUI8PPLE > reg_security_event.txt
7. After generating all the event files, I had to combine them all into one file (all-events.txt in my case). After, simply use the parse.pl Perl script to create the timeline:
parse.pl -f all-events.txt -r 07/26/2013-07/27/2013 -c > all-events.csv
Since the time in the event file is UTC, I had to include also June 27 as part of the range. So, basically July 26 20:36 is July 27 00:36 in the all-events.csv file. I could have simply used the range 07/27/2013-07/27/2013 and I would get the result I wanted.
8. Now, on to the results, which is what this whole thing is about anyway. In the document I tried to match the actual activities with the timelines from the artifacts processed above. This should help with context.
I know I could have used log2timeline to do this, but I wanted to take a more manual approach. I’m also aware that there are be other sources of information that can be added to a timeline like this one.
Download the full results here:
List of files changed: hash_FilesAddedOrChanged