legal contact
 

Day 4 FOR508.4

Day 4 Timeline Analysis

http://journeyintoir.blogspot.com/2014/01/it-is-all-about-program-execution.html
http://www.kazamiya.net/en/NTFS_Timestamps
https://fwhibbit.es/en/what-happened-the-abc-of-the-macb
https://www.fireeye.com/blog/threat-research/2012/09/incident-response-ntfs-indx-buffers-part-2-internal.html

Both of the below posters are very, very important during the exam. Be sure to take them with you.




 

MAC timestamps

https://www.andreafortuna.org/2017/10/06/macb-times-in-windows-forensic-analysis/

MACB

MACE

(M) odification
(A) ccess
(C) ange MFT Metadata Record
(B) irth

(M) odified
(A) ccessed
(E) ntry Modified
(C) reated

 stored at $MFT

$SI ($STANDARD_INFOERMATION)= What you look at with Explorer, cmd, PS1
$FN ($FILE_NAME) = Only modifyable by the kernel

Compare $SI and $FN to find time manipulations (i.e. analyzeMFT.py)

Operation

Modified ($SI)

Accessed ($SI)

Birth ($SI)  (Create)

File Create

YES

YES

YES

File Modify

YES

NO

NO

(A) not changed due to NtfsDisableLastAccessUpdate = 1 by default Vista+

File Copy (explorer)

NO (inherited from original)

YES

YES

File Copy (cmd)

NO (inherited from original)

YES

YES

File Access

NO

NO

NO

(A) not changed due to NtfsDisableLastAccessUpdate = 1 by default Vista+

$STANDARD_INFO

$STANDARD_INFO ($SI) stores file metadata such as flags, the file SID, the file owner and a set of MAC(b) timestamps.

$STANDARD_INFO is the timestamp collected by Windows explorer, fls, mactime, timestomp, find and the other utilities related to the display of timestamps.

$FILE_NAME

The $File_Name attribute contains forensically interesting bits, such as MACB times, file name, file length and more.

Timestamps are only updated with the attribute is changed.

Files can have either one or two $File_Name attributes depending on how long the file name is:

  • Short file names (“file.txt”) has only one $File_Name attribute.
  • Long file names (“extremelylongfilename.txt”) will have two $File_Name attributes.
  • One for the long file name, and one for the DOS-compatible short name (EXTRE~1.TXT).

Carrier's File System Forensic Analysis book says, "Windows does not typically update this set of temporal values like it does with those in the "$STANDARD_INFORMATION" attribute, and they frequently correspond to when the file was created, moved, or renamed," (page 318).

Deleting a file:

  1. The filename is removed from the parent directory index $I30
  2. The MFT entry is unallocated by cleaning the in use flag $Bitmap
  3. The Clusters are unallocated
  4. Change the file system journal $LogFile

$FILE_NAME remains intact

What are the differences of:
  • $STANDARD_INFO can be modified by user level processes like timestomp.
  • $FILE_NAME can only be modified by the system kernel. (There are no known anti-forensics utilities that can accomplish this.)
Pivot Point

Finding the approx. time when the intrution/abuse began to limit the number of data and sources to look at

How to detect Anti-Forensics Timestamp Anomalies?

Tool such as timestomp allow attackers to backdate a file to an arbitrary time in order to trying to hide it in system32 or other similar directories.

So, during analysis you can use analyzeMFT.py in order to check if the $FILE_NAME time occurs after the $STANDARD_INFORMATION Creation Time. If this anomaly occurs, it is likely that an attacker has been alterated timestamps in $STANDARD_INFO using timestomp.

Timestamp Analysis for Lateral Movement

When a file is copied via SMB (net use):

  • the modification time is inherited from the original
  • the creation time will be the time of the lateral movement → PIVOT POINT
PLASO & Co. Timeline creation

"log2timeline.py with filters"

https://www.andreafortuna.org/2018/02/16/forensic-timeline-creation-my-own-workflow/

Required tools

https://www.sleuthkit.org/sleuthkit/
http://www.volatilityfoundation.org/
https://github.com/log2timeline/plaso

Step

Action

Description

1

fls -r -m / Evidence1.E01 > Evidence1-bodyfile

Extract filesystem bodyfile from the .E01 file (physical disk dump):

2

vol.py -f ~/Desktop/win7_trial_64bit.raw imageinfo

identification of the type of memory image is a mandatory step.

3

vol.py -f Evidence1-memoryraw.001 --profile=Win7SP1x86 timeliner --output=body > Evidence1-timeliner.body

Run the timeliner plugin against volatile memory dump using volatility

4

vol.py -f Evidence1-memoryraw.001 --profile=Win7SP1x86 mftparser --output=body > Evidence1-mftparser.body

Run the mftparser volatility plugin, in order to spot some strange MFT activities.
This step can generate duplicates entries against the fls output, but i think that this data can contain precious artifatcs.

5

cat Evidence1-timeliner.body >> Evidence1-bodyfile
cat Evidence1-mftparser.body >> Evidence1-bodyfile

Combine the timeliner and mftparser output files with the filesystem bodyfile

6

mactime -d -b Evidence1-bodyfile 2012-04-02..2012-04-07 > Evidence1-mactime-timeline.csv

Extract the combined filesystem and memory timeline

7

grep -v -i -f Evidence1-mactime-timeline.csv > Evidence1-mactime-timeline-final.csv

Optionally, filter data using grep and applying the whitelist

SuperTimeline creation

"log2timeline.py without filters"

Step

Action

Description

1

log2timeline.py plaso.dump Evidence1.E01

Gather timeline data and create the plaso.dump

2

psort.py -z "UCT" -o L2tcsv plaso.dump "date > '2012-04-03 00:00:00' AND date < '2012-04-07 00:00:00'" -w plaso.csv

Filter the timeline using psort.py

3

grep -v -i -f whitelist.txt plaso.csv > supertimeline.csv

Optionally filter data using grep and applying the whitelist

Using AutoTimeline (AndreaFortuna)

git clone https://github.com/andreafortuna/autotimeliner.git

./autotimeline.py -f ./*.raw -t 2018-10-17..2018-10-21