Using Open Source Tools - O'Reilly Media - Technology Books, Tech
Advanced time-lining using open source tools€¦ · using open source tools Using time-line...
Transcript of Advanced time-lining using open source tools€¦ · using open source tools Using time-line...
![Page 1: Advanced time-lining using open source tools€¦ · using open source tools Using time-line principles, tools and forensic techniques we establish the context necessary to reconstruct](https://reader034.fdocuments.in/reader034/viewer/2022042601/5f6e7b1b6eae971446176413/html5/thumbnails/1.jpg)
Advanced time-lining using open source tools
Using time-line principles, tools and forensic techniques we establish the context necessary to reconstruct a incident
![Page 2: Advanced time-lining using open source tools€¦ · using open source tools Using time-line principles, tools and forensic techniques we establish the context necessary to reconstruct](https://reader034.fdocuments.in/reader034/viewer/2022042601/5f6e7b1b6eae971446176413/html5/thumbnails/2.jpg)
About me
• Christian Prickaerts• [email protected]
• My day job• In charge of DFIR @Fox-IT
• Providing expert witness testimony
• SANS Institute instructor
![Page 3: Advanced time-lining using open source tools€¦ · using open source tools Using time-line principles, tools and forensic techniques we establish the context necessary to reconstruct](https://reader034.fdocuments.in/reader034/viewer/2022042601/5f6e7b1b6eae971446176413/html5/thumbnails/3.jpg)
Time is of the essence
• You are using timelines in your investigation, are you not?
• Talking about time• Timelining is hot!
• Combine temporal data from multiple sources
• New artifacts (sources) added constantly
![Page 4: Advanced time-lining using open source tools€¦ · using open source tools Using time-line principles, tools and forensic techniques we establish the context necessary to reconstruct](https://reader034.fdocuments.in/reader034/viewer/2022042601/5f6e7b1b6eae971446176413/html5/thumbnails/4.jpg)
Timestamp example
![Page 5: Advanced time-lining using open source tools€¦ · using open source tools Using time-line principles, tools and forensic techniques we establish the context necessary to reconstruct](https://reader034.fdocuments.in/reader034/viewer/2022042601/5f6e7b1b6eae971446176413/html5/thumbnails/5.jpg)
When was document last printed?
![Page 6: Advanced time-lining using open source tools€¦ · using open source tools Using time-line principles, tools and forensic techniques we establish the context necessary to reconstruct](https://reader034.fdocuments.in/reader034/viewer/2022042601/5f6e7b1b6eae971446176413/html5/thumbnails/6.jpg)
![Page 7: Advanced time-lining using open source tools€¦ · using open source tools Using time-line principles, tools and forensic techniques we establish the context necessary to reconstruct](https://reader034.fdocuments.in/reader034/viewer/2022042601/5f6e7b1b6eae971446176413/html5/thumbnails/7.jpg)
What time is it?
![Page 8: Advanced time-lining using open source tools€¦ · using open source tools Using time-line principles, tools and forensic techniques we establish the context necessary to reconstruct](https://reader034.fdocuments.in/reader034/viewer/2022042601/5f6e7b1b6eae971446176413/html5/thumbnails/8.jpg)
System time at acquisition
![Page 9: Advanced time-lining using open source tools€¦ · using open source tools Using time-line principles, tools and forensic techniques we establish the context necessary to reconstruct](https://reader034.fdocuments.in/reader034/viewer/2022042601/5f6e7b1b6eae971446176413/html5/thumbnails/9.jpg)
W32Time / Windows Time Service
• Automatic time sync• ID 35 = Good
• ID 17, 29 (XP) = Bad
• ID 134 (Win7) = Bad
![Page 10: Advanced time-lining using open source tools€¦ · using open source tools Using time-line principles, tools and forensic techniques we establish the context necessary to reconstruct](https://reader034.fdocuments.in/reader034/viewer/2022042601/5f6e7b1b6eae971446176413/html5/thumbnails/10.jpg)
Look for a bunch of those
http://www.eventlogxp.com/
![Page 11: Advanced time-lining using open source tools€¦ · using open source tools Using time-line principles, tools and forensic techniques we establish the context necessary to reconstruct](https://reader034.fdocuments.in/reader034/viewer/2022042601/5f6e7b1b6eae971446176413/html5/thumbnails/11.jpg)
Times, they are changing
• Look for system time change events: event 4616
![Page 12: Advanced time-lining using open source tools€¦ · using open source tools Using time-line principles, tools and forensic techniques we establish the context necessary to reconstruct](https://reader034.fdocuments.in/reader034/viewer/2022042601/5f6e7b1b6eae971446176413/html5/thumbnails/12.jpg)
Sorting by logical order
![Page 13: Advanced time-lining using open source tools€¦ · using open source tools Using time-line principles, tools and forensic techniques we establish the context necessary to reconstruct](https://reader034.fdocuments.in/reader034/viewer/2022042601/5f6e7b1b6eae971446176413/html5/thumbnails/13.jpg)
Summertime, and the living is… well, whatever
Viewed on November 11 Viewed on May 28
![Page 14: Advanced time-lining using open source tools€¦ · using open source tools Using time-line principles, tools and forensic techniques we establish the context necessary to reconstruct](https://reader034.fdocuments.in/reader034/viewer/2022042601/5f6e7b1b6eae971446176413/html5/thumbnails/14.jpg)
![Page 15: Advanced time-lining using open source tools€¦ · using open source tools Using time-line principles, tools and forensic techniques we establish the context necessary to reconstruct](https://reader034.fdocuments.in/reader034/viewer/2022042601/5f6e7b1b6eae971446176413/html5/thumbnails/15.jpg)
![Page 16: Advanced time-lining using open source tools€¦ · using open source tools Using time-line principles, tools and forensic techniques we establish the context necessary to reconstruct](https://reader034.fdocuments.in/reader034/viewer/2022042601/5f6e7b1b6eae971446176413/html5/thumbnails/16.jpg)
Logic dictates
• You have lots of tools at your disposal
• But they are not intelligent (enough)
• No. 1 tool?• (Your) grey mass
• No. 2 tool• Log2Timeline/Plaso
![Page 17: Advanced time-lining using open source tools€¦ · using open source tools Using time-line principles, tools and forensic techniques we establish the context necessary to reconstruct](https://reader034.fdocuments.in/reader034/viewer/2022042601/5f6e7b1b6eae971446176413/html5/thumbnails/17.jpg)
Log2timeline aka Plaso
17
https://code.google.com/p/plaso/
![Page 18: Advanced time-lining using open source tools€¦ · using open source tools Using time-line principles, tools and forensic techniques we establish the context necessary to reconstruct](https://reader034.fdocuments.in/reader034/viewer/2022042601/5f6e7b1b6eae971446176413/html5/thumbnails/18.jpg)
Super Timeline
Pagina 18
![Page 19: Advanced time-lining using open source tools€¦ · using open source tools Using time-line principles, tools and forensic techniques we establish the context necessary to reconstruct](https://reader034.fdocuments.in/reader034/viewer/2022042601/5f6e7b1b6eae971446176413/html5/thumbnails/19.jpg)
Case Study - Phishing Attack
![Page 20: Advanced time-lining using open source tools€¦ · using open source tools Using time-line principles, tools and forensic techniques we establish the context necessary to reconstruct](https://reader034.fdocuments.in/reader034/viewer/2022042601/5f6e7b1b6eae971446176413/html5/thumbnails/20.jpg)
Picture is never complete, ever...
![Page 21: Advanced time-lining using open source tools€¦ · using open source tools Using time-line principles, tools and forensic techniques we establish the context necessary to reconstruct](https://reader034.fdocuments.in/reader034/viewer/2022042601/5f6e7b1b6eae971446176413/html5/thumbnails/21.jpg)
C:
Volume shadow copy 6
Volume shadow copy
Volume shadow copy 5
Volume shadow copy 4
Volume shadow copy 3
Volume shadow copy 2
Volume shadow copy 1
![Page 22: Advanced time-lining using open source tools€¦ · using open source tools Using time-line principles, tools and forensic techniques we establish the context necessary to reconstruct](https://reader034.fdocuments.in/reader034/viewer/2022042601/5f6e7b1b6eae971446176413/html5/thumbnails/22.jpg)
Unallocated space
![Page 23: Advanced time-lining using open source tools€¦ · using open source tools Using time-line principles, tools and forensic techniques we establish the context necessary to reconstruct](https://reader034.fdocuments.in/reader034/viewer/2022042601/5f6e7b1b6eae971446176413/html5/thumbnails/23.jpg)
Exiftool metadata example
http://www.sno.phy.queensu.ca/~phil/exiftool/
![Page 24: Advanced time-lining using open source tools€¦ · using open source tools Using time-line principles, tools and forensic techniques we establish the context necessary to reconstruct](https://reader034.fdocuments.in/reader034/viewer/2022042601/5f6e7b1b6eae971446176413/html5/thumbnails/24.jpg)
Windows – Prefetch files
• When executing a program Windows automatically generates a prefetch file• To further enhance performance
• Existence proves execution
• Location:• C:\Windows\Prefetch\
• Name:• [application].[ext]-[hash].pf
![Page 25: Advanced time-lining using open source tools€¦ · using open source tools Using time-line principles, tools and forensic techniques we establish the context necessary to reconstruct](https://reader034.fdocuments.in/reader034/viewer/2022042601/5f6e7b1b6eae971446176413/html5/thumbnails/25.jpg)
Prefetch (2)
• Executables that ran on the system:
http://redwolfcomputerforensics.com/
![Page 26: Advanced time-lining using open source tools€¦ · using open source tools Using time-line principles, tools and forensic techniques we establish the context necessary to reconstruct](https://reader034.fdocuments.in/reader034/viewer/2022042601/5f6e7b1b6eae971446176413/html5/thumbnails/26.jpg)
Prefetch (3)
• Files associated with the execution of WINRAR.EXE:
![Page 27: Advanced time-lining using open source tools€¦ · using open source tools Using time-line principles, tools and forensic techniques we establish the context necessary to reconstruct](https://reader034.fdocuments.in/reader034/viewer/2022042601/5f6e7b1b6eae971446176413/html5/thumbnails/27.jpg)
Analyze recovered prefetch
• Foremost signature for carving PF files:
pf y 80000 ?\x00\x00\x00\x53\x43\x43\x41
• Use pf to parse recovered files:
pf -v recovered_file.pf
• Use Foremost or Photorec
![Page 28: Advanced time-lining using open source tools€¦ · using open source tools Using time-line principles, tools and forensic techniques we establish the context necessary to reconstruct](https://reader034.fdocuments.in/reader034/viewer/2022042601/5f6e7b1b6eae971446176413/html5/thumbnails/28.jpg)
Carved LNK file
Timestamps of original document that was opened
https://tzworks.net/
![Page 29: Advanced time-lining using open source tools€¦ · using open source tools Using time-line principles, tools and forensic techniques we establish the context necessary to reconstruct](https://reader034.fdocuments.in/reader034/viewer/2022042601/5f6e7b1b6eae971446176413/html5/thumbnails/29.jpg)
Volatility: timeliner plugin
• Many memory artifacts have embedded timestamps:• Processes, threads
• Portable Executable Files• Process EXEs, DLLs, and Drivers
• Network Sockets, Registry Keys, Event Logs
• Timeliner consolidates artifacts into delimited file that can be easily converted to a timeline
https://code.google.com/p/volatility/
![Page 30: Advanced time-lining using open source tools€¦ · using open source tools Using time-line principles, tools and forensic techniques we establish the context necessary to reconstruct](https://reader034.fdocuments.in/reader034/viewer/2022042601/5f6e7b1b6eae971446176413/html5/thumbnails/30.jpg)
SANS SIFT Workstation
![Page 31: Advanced time-lining using open source tools€¦ · using open source tools Using time-line principles, tools and forensic techniques we establish the context necessary to reconstruct](https://reader034.fdocuments.in/reader034/viewer/2022042601/5f6e7b1b6eae971446176413/html5/thumbnails/31.jpg)
Absence of evidence
isn’t evidence of absence
- Carl Sagan
![Page 32: Advanced time-lining using open source tools€¦ · using open source tools Using time-line principles, tools and forensic techniques we establish the context necessary to reconstruct](https://reader034.fdocuments.in/reader034/viewer/2022042601/5f6e7b1b6eae971446176413/html5/thumbnails/32.jpg)
Evidence of absenceis evidence of absence
![Page 33: Advanced time-lining using open source tools€¦ · using open source tools Using time-line principles, tools and forensic techniques we establish the context necessary to reconstruct](https://reader034.fdocuments.in/reader034/viewer/2022042601/5f6e7b1b6eae971446176413/html5/thumbnails/33.jpg)
Test your hypotheses
![Page 34: Advanced time-lining using open source tools€¦ · using open source tools Using time-line principles, tools and forensic techniques we establish the context necessary to reconstruct](https://reader034.fdocuments.in/reader034/viewer/2022042601/5f6e7b1b6eae971446176413/html5/thumbnails/34.jpg)
Final thoughts
• You are looking at the result of certain activity, not at the activity itself
• There might be an alternative scenario that produces that specific pattern
![Page 35: Advanced time-lining using open source tools€¦ · using open source tools Using time-line principles, tools and forensic techniques we establish the context necessary to reconstruct](https://reader034.fdocuments.in/reader034/viewer/2022042601/5f6e7b1b6eae971446176413/html5/thumbnails/35.jpg)
Christian [email protected]