An automated timeline reconstruction approach for digital forensic investigations Christopher Hargreaves and Jonathan Patterson, DFRWS 2012

Transcription

1 An automated timeline reconstruction approach for digital forensic investigations Christopher Hargreaves and Jonathan Patterson, DFRWS 2012 Original presentation at DFRWS: Original paper:

2 Presentation Introduction Research Objectives Reconstruction of high-level events Super TimeLine Generation of low-level events Results and Future Work 2

3 Introduction - What is TimeLine? A timeline is a way of displaying a list of events in chronological order. Visualization 3

4 DF TimeLines A digital timeline can be defined as the representation of useful information relating to specific security event. Carbone R, Bean

5 Traditional DF TimeLines Problems Credibility Modification of timestamps during what can be called normal user or operating system behavior Automated scanning tool File attribute manipulation program such as timestomp (Anti-forensics) 5

6 TimeLines Problems (cont.) BIOS and System Clock Setting Multi-user System Disabling of Last Access Update in the system altering or creating a DWORD entry called NtfsDisableLastAccessUpdate with the value of 1 in the key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\FileSystem Chow

7 NTFS Unpopular Property Time is recorded in two places $STDINFO Attribute $Filename Attribute 7

8 Other TimeStamps Sources Event Logs Registry Files Internet History Files Recycle Bin\Recycler thumbs.db Logs Chat Logs Restore Points Internet / Network Capture Files Archive Files 8

9 Super TimeLine One of the solutions to the shortcomings of traditional timeline analysis is expanding it with information from multiple sources to get a better picture of the events. Guðjónsson

10 Existing Super TimeLine Tools Timelines based on file system times e.g. EnCase, Sleuth Kit Timelines including times from inside files e.g. Cyber Forensic Time Lab (CFTL), Log2timeline Visualizations e.g. EnCase, Zeitline, Aftertime 10

11 Aftertime Netherlands Forensic Institute (NFI Labs) Aftertime, 11

12 Zeitline Buchholz, F. & Falk, C., Design and Implementation of Zeitline: a Forensic Timeline Editor. Digital Forensics Research Workshop. 12

13 Cyber Forensic Time Lab (CFTL) Olsson, J. & Boldt, M., Computer forensic timeline visualization tool. Digital Investigation, 6(Supplement 1), pp.s78 S87. 13

14 Log2timeline Gu jónsson, K., Mastering the Super Timeline with log2timeline. 14

15 Super TimeLine Problems Super timeline often contains too many events for the investigator : to understand. to fully analyze. making data reduction. making easier method of examining the timeline essential. Guðjónsson

16 Research Objectives Needs to provide a gist - a summary of activity on the disk. Need an event reconstruction tool that produces human understandable events. Needs to satisfy forensic requirements, particularly traceability, repeatability. Needs to be extensible, i.e. allow the community to Add. 16

17 Overview of PyDFT (Python Digital Forensic Timeline) Two main stages: low-level event extraction high-level event reconstruction The research method in this case is the development of a software prototype chosen over a design-based approach 17

18 Overview of PyDFT Prototype disk image low-level event Database high-timeline 18

19 Generation of low-level events Extractor Manager (file name, path, content) Parsers (generate usable values ) Bridges (maps values) Time Extractor 19

20 Low-level event format 20

21 Backing store for the low-level timeline internally in PyDFT, low-level events are implemented as a Python class. SQLite multiple advanced queries offer performance benefits Export to several other formats 21

22 SQLite DataBase Three tables : Info (timeline tool). Events (main). Keydata (keys). SQLite database containing millions of low-level events 22

23 Events Table in PyDFT DataBase 23

24 Reconstruction of high-level events The approach is based on a plugin framework where each plugin Analyzer is a script that detects a particular type of high-level event 24

25 Automated Analysis Analysis Concept (simple) 25

26 Analysis Concept (complex) Reasoning (Trigger, Supporting, Contradictory) 26

27 Simple test events (Example) 27

28 Test Events (YouTube Example) 28

29 YouTube Example (Cont.) 29

30 Events Comparing (Example) 30

31 Pseudo Code of Analyzer Only 22 analyzers implemented. Some examples of which include (User Creation, Windows Installation, Google Search, YouTube Video Access, Skype Call and USB Connected) 31

32 Analyzer (Example) 32

33 High-level event format 33

34 Supporting and contradictory artifacts 34

35 Case folder structure 35

36 Results - Examples (Bing Search) 36

37 Bing Search (Cont.) 37

38 Examples (USB Device Connection) 38

39 USB Device Connection (Cont.) Test Events: Trigger event : Setup API entry for USB found (VID:07AB PID:FCF6 Serial:07A80207B128BE08) Setup API USBSTOR entry found USBStor details found in Registry Windows Portable Device entry found in Registry 39

40 Visualizing high-level timelines using Timeflow 40

41 Timeflow (Cont.) 41

42 Performance 42

43 Future Work More extractors including importing from other tools. More complex analyzers. More Testing. More efficient Comparison method Parallel processing. Visualizations. 43

44 44

45 45