Timeline Analysis Geoff Black, EnCE, SnortCP Senior Forensic Consultant Professional Services...
-
Upload
donald-payne -
Category
Documents
-
view
227 -
download
0
Transcript of Timeline Analysis Geoff Black, EnCE, SnortCP Senior Forensic Consultant Professional Services...
Timeline Analysis
Geoff Black, EnCE, SnortCPSenior Forensic ConsultantProfessional Services DivisionGuidance Software, Inc.
P A G E 2
Usage Scenarios
Intrusion mapping
Spyware / Malware file dropping
Suspect activity
File activity
Registry Keys
Email times
Web history
P A G E 3
The Common (And Wrong) Way
Many investigators do not conduct proper timeline analysis
EnCase does not give the user an easy method to accomplish this
Within Table View you can only add secondary sort columns
These only sort when the first column has identical data
NOT a unified linear timeline
P A G E 4
The Built-in Alternative
Timeline View gives a decent overview, but cumbersome - not at all user-friendly
P A G E 5
Proper Method : Unified Linear Timeline
Considers each date field individually
Not locked into sorting a single field
Does not base a second sort on the value of the first field
Completely linear across all date fields
End result is that an entry can be listed multiple times in the timeline, once for each date field
P A G E 6
Hands-On Lab
Check your Time Settings
Lab Machine TZ
Evidence TZ
Locate an interesting event
Select a date/time range around the event
Run Timeline Report EnScript & examine results
Use Selected Files to narrow your search if necessary
P A G E 7
Timeline Report Download
http://www.geoffblack.com/forensics/
P A G E 8
Detecting Timestamp Anomalies
MFT stores two sets of dates
Standard Information Attribute (EnCase, Windows)
File Name Attribute
Anti-forensics tools modify timestamps
TimeStomp / FileTouch / FileTouchdotNET
Popular theories for detection
MFT Entry HeaderStandard Information
AttributeFile NameAttribute
Remainder ofRecord
MFT Entry Record Structure
P A G E 9
Detecting Timestamp Anomalies
Popular Theory: TimeStomp uses low precision timestamping
Problem: So does just about every major installation routine
P A G E 10
Detecting Timestamp Anomalies
Popular Theory: The FileName Attribute times will always be earlier than the Standard Information Attribute times in a normal timestamp
Problem: On standard well-used drives, expect up to 50% of entries where the FN timestamp is more recent than the SIA timestamp without any manual alterations
P A G E 11
Detecting Timestamp Anomalies
Detection is not reliable through attribute comparison or timestamp precision
The only currently reliable method is to identify a known tool on the system
P A G E 12
Virtual Private Computing - MojoPac
Timeline Analysis
Geoff Black, EnCE, SnortCPSenior Forensic ConsultantProfessional Services DivisionGuidance Software, Inc.