An automated timeline reconstruction approach for digital forensic

investigationsChristopher Hargreaves and Jonathan Patterson, DFRWS 2012

Original presentation at DFRWS:http://www.dfrws.org/2012/proceedings/DFRWS2012-p8.pdfOriginal paper:http://www.sciencedirect.com/science/article/pii/S174228761200031Xhttp://www.dfrws.org/2012/proceedings/DFRWS2012-8.pdf

2

Presentation

Introduction

Super TimeLine

Research Objectives

Generation of low-level events

Reconstruction of high-level events

Results and Future Work

Introduction - What is TimeLine?

A timeline is a way of displaying a list of events in chronological order.

• Visualization

3

DF TimeLines

A digital timeline can be defined as the representation of useful information relating to specific security event.

4

Carbone R, Bean 2011

Traditional DF TimeLines Problems

“Credibility”• Modification of timestamps during what can

be called “normal” user or operating system behavior

• Automated scanning tool

• File attribute manipulation program such as timestomp (Anti-forensics)

5

TimeLines Problems (cont.)

• BIOS and System Clock Setting

• Multi-user System

• Disabling of “Last Access Update” in the system – altering or creating a DWORD entry called NtfsDisableLastAccessUpdate with

the value of 1 in the key: “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\FileSystem “

Chow 2006

6

NTFS Unpopular Property

Time is recorded in two places

• $STDINFO Attribute

• $Filename Attribute

http://computer-forensics.sans.org/blog/2010/04/12/windows-7-mft-entry-timestamp-properties

7

Other TimeStamps Sources

• Event Logs

• Registry Files

• Internet History

• Email Files

• Recycle Bin\Recycler

• thumbs.db

• Logs

• Chat Logs

• Restore Points

• Internet / Network

• Capture Files

• Archive Files

8

Super TimeLine

One of the solutions to the shortcomings of traditional timeline analysis is expanding it with information from multiple sources to get a better picture of the events.

Guðjónsson 2010

9

Existing Super TimeLine Tools

• Timelines based on file system times

– e.g. EnCase, Sleuth Kit

• Timelines including times from inside files

– e.g. Cyber Forensic Time Lab (CFTL), Log2timeline

• Visualizations

– e.g. EnCase, Zeitline, Aftertime

10

Aftertime

Netherlands Forensic Institute (NFI Labs). 2005. Aftertime,11

Zeitline

Buchholz, F. & Falk, C., 2005. Design and Implementation of Zeitline: aForensic Timeline Editor. Digital Forensics Research Workshop.

12

Cyber Forensic Time Lab (CFTL)

Olsson, J. & Boldt, M., 2009. Computer forensic timeline visualization tool.Digital Investigation, 6(Supplement 1), pp.S78–S87.

13

Log2timeline

Gujًónsson, K., 2010. Mastering the Super Timeline with log2timeline.14

Super TimeLine Problems

Super timeline often contains too many events for the investigator :

• to understand.

• to fully analyze.

• making data reduction.

• making easier method of

examining the timeline essential.

15

Guðjónsson 2010

Research Objectives

• Needs to provide a ‘gist’ - a ‘summary of activity on

the disk’.

• Need an event reconstruction tool that produces

‘human understandable events’.

• Needs to satisfy forensic requirements, particularly

traceability, repeatability.

• Needs to be extensible, i.e. allow the community to

Add.

16

Overview of PyDFT(Python Digital Forensic Timeline)

Two main stages:

• low-level event extraction

• high-level event reconstruction

17

“The research method in this case is the development of a software prototype chosen over a design-based approach”

Overview of PyDFT Prototype

18

disk image low-level event Database high-timeline

Time Extractor

Generation of low-level events

19

Extractor Manager(file name, path, content)

Parsers(generate usable values )

Bridges(maps values)

Low-level event format

20

Backing store for the low-level timeline

• internally in PyDFT, low-level events are implemented as a Python class.

• SQLite

– multiple advanced queries

– offer performance benefits

• Export to several other formats

21

SQLite DataBase

Three tables :

• Info (timeline tool).

• Events (main).

• Keydata (keys).

“SQLite database containing millions of low-level events”

22

Events Table in PyDFT DataBase

23

Reconstruction of high-level events

• The approach is based on a plugin framework where each plugin “Analyzer” is a script that detects a particular type of high-level event

24

Automated Analysis

Analysis Concept (simple)

25

Analysis Concept (complex)

26

Reasoning (Trigger, Supporting, Contradictory)

Simple test events (Example)

27

Test Events (YouTube Example)

28

YouTube Example (Cont.)

29

30

Events Comparing (Example)

Pseudo Code of Analyzer

31

“ Only 22 analyzers implemented. Some examples of which include (User Creation, Windows Installation, Google Search, YouTube Video Access, Skype Call and USB Connected)”

32

Analyzer (Example)

High-level event format

33

Supporting and contradictoryartifacts

34

Case folder structure

35

Results - Examples (Bing Search)

36

Bing Search (Cont.)

37

Examples (USB Device Connection)

38

USB Device Connection (Cont.)

Test Events:

• Trigger event :“Setup API entry for USB found (VID:07AB PID:FCF6 Serial:07A80207B128BE08)”

• “Setup API USBSTOR entry found”

• “USBStor details found in Registry”

• “Windows Portable Device entry found in Registry”

39

Visualizing high-level timelinesusing Timeflow

https://github.com/FlowingMedia/TimeFlow/wiki/40

Timeflow (Cont.)

41

Performance

42

Future Work

• More extractors including importing from

other tools.

• More complex analyzers.

• More Testing.

• More efficient Comparison method

• Parallel processing.

• Visualizations.

43

44

45