Wednesday, 23 May 2012

Timelines continued: Log2Timeline for Beginners

I've had a great response from the community in regards to my last tutorial posted 'Forensic Timeline for Beginners: Part 3'. Thanks go out again to Harlan and the SANS Digital Forensic Blog for bringing attention to my posts. For quite some time now I've wanted to learn the tool Log2Timeline which is written by Kristinn Gudjonsson and is highly regarded within the community for producing timelines. One of the reasons why I've preferred the WFAT Timeline tools written by Harlan so far is because they can be run against a live machine, with the use of some additional tools, and it provides the analyst with the ability to add only required information to their timeline.

Through the post today I'll investigate how we use Log2Timeline and hopefully we'll also be able to address some of the issues above and identify some methods for gaining more granularity over the input into our timeline. I'd like to begin by using Log2Timeline to create a timeline of the image that we've been using in the previous tutorials and that way we have the ability to compare the two tools. At this point I'll be following a great guide posted by Rob Lee on the SANS Digital Forensics blog (here) on how to use Log2Timeline and at the end we'll have a timeline output file. This output file will however be a dump of everything Log2Timeline discovers, based on the input it accepts, and I'm interested to see whether as an analyst this is overwhelming or whether it adds some benefit and context to our investigations.

For this tutorial I'll be using the SANS Investigate Forensic Toolkit or SIFT for short which is available here. I've also installed Log2Timeline on my windows machine using the guide provided on the official website. At this point I don't believe there are any differences but I haven't extensively tested either, if you'd like to use windows then you can follow the guide posted here.

Firstly I copied across our downloaded forensic image to the SIFT virtual machine I have running. In order to mount the drive the SIFT virtual machine provides us with a tool called mount_ewf. This tool allows us to mount EWF files even if they are compressed of split. I ran the following command to mount the drive.

 mount_ewf.py WinXP2.E01 /mnt/ewf  
 Using libewf-20111015. Tested with libewf-20080501.  

Once the above command runs successfully you can navigate to the mount location using the following commands. I also ran the ls command to show the contents of the mount location.

 root@SIFT-Workstation:/home/sansforensics/Desktop# cd /mnt/ewf/  
 root@SIFT-Workstation:/mnt/ewf# ls  
 WinXP2 WinXP2.txt  

Running the 'more' command over the WinXP2.txt file will output the contents to standard output.

 root@SIFT-Workstation:/mnt/ewf# more WinXP2.txt  
 # Description: WinXP  
 # Case number: Case 1  
 # Examiner name: Mueller  
 # Evidence number: WinXP  
 # Acquiry date: 2008-01-17T01:05:46  
 # System date: 2008-01-17T01:05:46  
 # Operating system used: Vista  
 # Software version used: 6.8  


At this point we are ready to run Log2Timeline over our mounted image. From the same directory I ran the following command

 root@SIFT-Workstation:/mnt/ewf# log2timeline-sift -z EST5EDT -i WinXP2  
 Image file (WinXP2) has not been mounted. Do you want me to mount it for you? [y|n]: y  
 No partition nr. has been provided, attempting to print it out.  
 Is this a disk image file? Or is it perhaps a partition image?  
 This doesn't look like a disk image file, if this is a partition image (which it looks like), please re-run the tool with the parameter -p 0.  
 Example: log2timeline-sift -p 0 -i IMAGE_FILE  

As you can see from the output above Log2Timeline has determined that we're running against a partition based image file instead of a disk image file and has offered us the example solution using the -p command instead.

I ran the command above again using the -p option istead. The command is as follows.

 root@SIFT-Workstation:/mnt/ewf# log2timeline-sift -z EST5EDT -p 0 -i WinXP2  
 Image file (WinXP2) has not been mounted. Do you want me to mount it for you? [y|n]: y  
 This is a partition image, let's attempt mounting it directly.  
 Image file mounted successfully as /mnt/windows_mount  
 [LOG2TIMELINE-SIFT] MFT directly callable, no need for special parsing.  
 [PreProcessing] Unable to determine the default browser for user vmware  
 [PreProcessing] Unable to determine the default browser for user administrator  
 [PreProcessing] Unable to determine the default browser for user default user  
 [PreProcessing] Unable to determine the default browser for user networkservice  
 [PreProcessing] Unable to determine the default browser for user localservice  
 [PreProcessing] Hostname is set to REG-OIPK81M2WC8  
 [PreProcessing] The timezone according to registry is: (PST) Pacific Standard Time  
 [PreProcessing] The timezone settings are NOT overwritten so the settings might have to be adjusted.  
 [PreProcessing] The default system browser is: : IEXPLORE.EXE ("C:\Program Files\Internet Explorer\iexplore.exe" -nohome)  
 Loading output file: csv  
 Unable to open /mnt/windows_mount/$Extend/$ObjId  
 Unable to open /mnt/windows_mount/$Extend/$Quota  
 Unable to open /mnt/windows_mount/$Extend/$Reparse  
 Unable to open /mnt/windows_mount/$Secure  
 umount: /mnt/windows_mount: device is busy.  
     (In some cases useful info about processes that use  
      the device is found by lsof(8) or fuser(1))  

At this point I was slightly confused as I saw a number of errors in the output of log2timeline and automatically presumed that the tool had not completed successfully. It was only until I went and read the SANS tutorial again that I realised this was normal output of the tool and an analyst should expect to see a number of errors while parsing their image. Also from the output above I'd realised that I'd entered in the incorrect time and I needed to amend my command once again to ensure I entered the correct timezone otherwise it could confuse our investigations.

I wasn't sure at this point what the correct option was for PST so I used the following command to identify an appropriate -z option.

 log2timeline -z list | more  

I tried to use the log2timeline-sift version with the -z list option however it didn't accept this command. I then decided to try the standard log2timeline -z list option and I successfully produced a list of the accepted timezones. Again I piped my output to the more command so that I can slowly review the output.

I ran log2timeline again in the hope of producing our a bodyfile output file. I used UTC as my timezone. I was still a little confused on the correct timezone to use at this point but decided to move on and compare times against my original timeline created in the previous tutorials. That is one of the benefits of using a number of tools in your investigations so that you can clarify the results from both and identify any issues you might have with the tools or the commands you've run. Below is the output of this command.

 root@SIFT-Workstation:/mnt/ewf# log2timeline-sift -z UTC -p 0 -i WinXP2  
 [LOG2TIMELINE-SIFT] MFT directly callable, no need for special parsing.  
 [PreProcessing] Unable to determine the default browser for user vmware  
 [PreProcessing] Unable to determine the default browser for user administrator  
 [PreProcessing] Unable to determine the default browser for user default user  
 [PreProcessing] Unable to determine the default browser for user networkservice  
 [PreProcessing] Unable to determine the default browser for user localservice  
 [PreProcessing] Hostname is set to REG-OIPK81M2WC8  
 [PreProcessing] The timezone according to registry is: (PST) Pacific Standard Time  
 [PreProcessing] The chosen timezone does NOT match the one in the registry, changing values.  
 [PreProcessing] Time zone changed to: PST8PDT.  
 [PreProcessing] The default system browser is: : IEXPLORE.EXE ("C:\Program Files\Internet Explorer\iexplore.exe" -nohome)  
 Loading output file: csv  
 Unable to open /mnt/windows_mount/$Extend/$ObjId  
 Unable to open /mnt/windows_mount/$Extend/$Quota  
 Unable to open /mnt/windows_mount/$Extend/$Reparse  
 Unable to open /mnt/windows_mount/$Secure  
 Could not open the restore point file: /mnt/windows_mount/System Volume Information/_restore{00D8A395-89D5-46B8-A850-E02B0F637CE5}/RP0/rp.log  
 umount: /mnt/windows_mount: device is busy.  
     (In some cases useful info about processes that use  
      the device is found by lsof(8) or fuser(1))  


At this point we have a body file and the sift workstation places the output of the above command in the following folder '/cases/timeline-output-folder/'. I navigated to this folder and then ran the following command.

 root@SIFT-Workstation:/mnt/ewf# cd /cases/timeline-output-folder/  
 root@SIFT-Workstation:/cases/timeline-output-folder# l2t_process -b WinXP2_bodyfile.txt > WinXP2_bodyfile.txt.csv  
 Total number of events that fit into the filter (got printed) = 182943  
 Total number of duplicate entries removed = 114822  
 Total number of events skipped due to whitelisting = 0  
 Total number of events skipped due to keyword filtering = 0  
 Total number of processed entries = 182943  
 Run time of the tool: 9 sec  

l2t_process in my limited knowledge at this point seems to do the same as Harlan's parse.pl script. It will process our bodyfile and produce our CSV ready for analysis. If you'd like to specify a date period to review then you can do that also however in this case we'll just parse the complete file. Now that we have our file lets take a look at it and see what we find.

Tracing back to the events we found in the previous tutorials I've posted the following screenshot to see how this would look from the perspective of log2timeline.


I traced through and began highlighting the suspicious entries where the malicious files were discovered. I also highlighted entries that I felt were related to the suspicious files such as the firewall changes that we had identified as modified.

I followed my timeline entries through but was surprised to see that at the bottom of my timeline file there were a large number of date entries that didn't seem to be in order after parsing with l2t_process. I've attached the screenshot but I haven't had time to troubleshoot why this might be. Does anybody else understand the reasons behind this?


I'm going to stop this blog entry at this point as my week schedule has been fairly crazy and I need to focus on some other training that I'm undertaking. This tutorial is really just scratching the surface of what log2timeline can do. While writing about log2timeline I also found a number of sites explaining how to enter individual log sources to our timeline in the same way we used WFAT Timeline tools. We also have a pcap file that we could potentially introduce to our timeline using log2timeline and I'm keen to see how this would look and again what context it might add to our investigation. The amount of information that log2timeline provides can be overwhelming from a learners perspective and its important that you can understand the entries within our timeline and not just create the output. I do like the large amount of inputs it can deal with. In particular firefox history, ie history and chrome history I believe might be beneficial when using WFAT Timeline and I'd be interested to see whether this could be completed on a live system. I'll try to cover these topics in future posts.

Once again I hope you gained something from this tutorial and I'll attempt to post more as soon as I find some more time.



1 comment: