An automated timeline reconstruction approach for digital forensic investigations Christopher Hargreaves and Jonathan Patterson, DFRWS 2012 Original presentation at DFRWS: http://www.dfrws.org/2012/proceedings/dfrws2012-p8.pdf Original paper: http://www.sciencedirect.com/science/article/pii/s174228761200031x http://www.dfrws.org/2012/proceedings/dfrws2012-8.pdf
Presentation Introduction Research Objectives Reconstruction of high-level events Super TimeLine Generation of low-level events Results and Future Work 2
Introduction - What is TimeLine? A timeline is a way of displaying a list of events in chronological order. Visualization 3
DF TimeLines A digital timeline can be defined as the representation of useful information relating to specific security event. Carbone R, Bean 2011 4
Traditional DF TimeLines Problems Credibility Modification of timestamps during what can be called normal user or operating system behavior Automated scanning tool File attribute manipulation program such as timestomp (Anti-forensics) 5
TimeLines Problems (cont.) BIOS and System Clock Setting Multi-user System Disabling of Last Access Update in the system altering or creating a DWORD entry called NtfsDisableLastAccessUpdate with the value of 1 in the key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\FileSystem Chow 2006 6
NTFS Unpopular Property Time is recorded in two places $STDINFO Attribute $Filename Attribute http://computer-forensics.sans.org/blog/2010/04/12/windows-7-mft-entrytimestamp-properties 7
Other TimeStamps Sources Event Logs Registry Files Internet History Email Files Recycle Bin\Recycler thumbs.db Logs Chat Logs Restore Points Internet / Network Capture Files Archive Files 8
Super TimeLine One of the solutions to the shortcomings of traditional timeline analysis is expanding it with information from multiple sources to get a better picture of the events. Guðjónsson 2010 9
Existing Super TimeLine Tools Timelines based on file system times e.g. EnCase, Sleuth Kit Timelines including times from inside files e.g. Cyber Forensic Time Lab (CFTL), Log2timeline Visualizations e.g. EnCase, Zeitline, Aftertime 10
Aftertime Netherlands Forensic Institute (NFI Labs). 2005. Aftertime, 11
Zeitline Buchholz, F. & Falk, C., 2005. Design and Implementation of Zeitline: a Forensic Timeline Editor. Digital Forensics Research Workshop. 12
Cyber Forensic Time Lab (CFTL) Olsson, J. & Boldt, M., 2009. Computer forensic timeline visualization tool. Digital Investigation, 6(Supplement 1), pp.s78 S87. 13
Log2timeline Gu jónsson, K., 2010. Mastering the Super Timeline with log2timeline. 14
Super TimeLine Problems Super timeline often contains too many events for the investigator : to understand. to fully analyze. making data reduction. making easier method of examining the timeline essential. Guðjónsson 2010 15
Research Objectives Needs to provide a gist - a summary of activity on the disk. Need an event reconstruction tool that produces human understandable events. Needs to satisfy forensic requirements, particularly traceability, repeatability. Needs to be extensible, i.e. allow the community to Add. 16
Overview of PyDFT (Python Digital Forensic Timeline) Two main stages: low-level event extraction high-level event reconstruction The research method in this case is the development of a software prototype chosen over a design-based approach 17
Overview of PyDFT Prototype disk image low-level event Database high-timeline 18
Generation of low-level events Extractor Manager (file name, path, content) Parsers (generate usable values ) Bridges (maps values) Time Extractor 19
Low-level event format 20
Backing store for the low-level timeline internally in PyDFT, low-level events are implemented as a Python class. SQLite multiple advanced queries offer performance benefits Export to several other formats 21
SQLite DataBase Three tables : Info (timeline tool). Events (main). Keydata (keys). SQLite database containing millions of low-level events 22
Events Table in PyDFT DataBase 23
Reconstruction of high-level events The approach is based on a plugin framework where each plugin Analyzer is a script that detects a particular type of high-level event 24
Automated Analysis Analysis Concept (simple) 25
Analysis Concept (complex) Reasoning (Trigger, Supporting, Contradictory) 26
Simple test events (Example) 27
Test Events (YouTube Example) 28
YouTube Example (Cont.) 29
Events Comparing (Example) 30
Pseudo Code of Analyzer Only 22 analyzers implemented. Some examples of which include (User Creation, Windows Installation, Google Search, YouTube Video Access, Skype Call and USB Connected) 31
Analyzer (Example) 32
High-level event format 33
Supporting and contradictory artifacts 34
Case folder structure 35
Results - Examples (Bing Search) 36
Bing Search (Cont.) 37
Examples (USB Device Connection) 38
USB Device Connection (Cont.) Test Events: Trigger event : Setup API entry for USB found (VID:07AB PID:FCF6 Serial:07A80207B128BE08) Setup API USBSTOR entry found USBStor details found in Registry Windows Portable Device entry found in Registry 39
Visualizing high-level timelines using Timeflow https://github.com/flowingmedia/timeflow/wiki/ 40
Timeflow (Cont.) 41
Performance 42
Future Work More extractors including importing from other tools. More complex analyzers. More Testing. More efficient Comparison method Parallel processing. Visualizations. 43
44
45