IR and forensic talk

I decided to make the installation of log2timeline a bit easier, since I know that the installation of all those Perl libraries can be a burden sometimes, especially since most packaging systems don’t have all of the libraries in their repositories.  So I started out creating an Ubuntu repository that contains not only log2timeline but also the Perl libraries that are not part of the standard distribution.  All you need to do is to add the following line to the /etc/apt/sources.list file:

deb http://log2timeline.net/pub/ karmic main

Then to get apt to accept my GPG key you need to download it from here (MD5/SHA256) and make apt use it by issuing the command:

apt-key add gpg.asc

This is it… now you should be able to use the repository and simply issue the command:

apt-get update

apt-get install log2timeline-perl

And all the dependencies should be fixed and you have a working copy of log2timeline on your Ubuntu box, as simple as that. The only problem I’ve had so far is that I’m only distributing the code in the i386 and all architectures, so for those that are using a different architecture (let’s say amd64) you need to either download the “all” package or use the good old manual installation until I’ve added your architecture to the repository.

In other news, if you are using Fedora, you should be able to use the CERT repository. They are maintaining a Fedore repository for forensics tools.  So if you are using a Fedora machine, all you need to do is to follow the instructions given here and then issue

yum install log2timeline

And all dependencies will be sorted out for you. Couldn’t be simpler to get it installed.

The next step would be to make the code OS neutral and create a working Windows executable to distribute, since there are still some parts of the code that are *NIX only, such as problems with the / vs. \ and the use of temporary directories, all minor issues but need to be solved nonetheless. And it would be nice as well to add a macports package as well, to make installation easier on the Mac OS X platform, something to work on in the near future…

And check out the new post from Chris talking about timescanner. He got timescanner to run on Windows, although I can see in the output that not all of the code seem to work, such as getting the username for some of the input modules.  This is most likely to do with the / vs. \ problem (*NIX vs. WIN), so this is one of the issues I need to fix to get the tool to properly run on the Windows platform.

I forgot to mention Aftertime in my last blog post, which is a new tool to create and analyse timelines.  Rob pointed this tool to me the other day, and I’ve done some limited testing on it.  It is very easy to create the timeline, just add the image file and let it crunch through it, all point-and-click and easy.  That is nice and I’m sure some will prefer that over the CLI method of log2timeline, where you need to use the command line and know the parameters of the tool, etc.  The tool also provides a nice GUI to display the timeline, using separate colors for each source, and to create reports.  Yet somehow I got the feeling it might be easy to overlook some of the important events, especially if they are only couple of them. This might be because I’m not used to examining timelines visually like this or because it might be hard to detect a single event that is surrounded with benign ones using a visual method like this. This is something I have to test further, since I think there are a lot of benefits of being able to visualize the timeline.

Harlan Carvey posted yesterday about some of these links that you see in this post.  One of which was the addition of regtime.pl into the timeline that includes every change made to the registry.  I haven’t added that functionality into log2timeline yet, that is to parse every single registry key into the timeline.  Today I’ve only included the UserAssist key, which adds more context to the registry entries than simply dump everything there.  In the near future you will see a lot more registry entries parsed using log2timeline, where I intend to parse only specific keys to add to the timeline, parsed and put into context.  I’ve been playing around few of these entries and I hope to add in version 0.51, at least part of my thoughts on the subject.

Although I agree with Harlan that adding every registry entry into the timeline can sometimes be an overkill and drown you with events and that in some cases it might loose some context (since you are not parsing the content of the keys).  However I have to admit that in some cases it really helps you find some registry entries that you might have otherwise missed.  I know that it has helped me greatly in at least few exams that I’ve done where I used tools like regtime.pl or reglookup-timeline to create the timeline.  In those cases I had a very specific timeframe which I was looking at, making the addition not so difficult to parse through, and found evidence or settings of software that I did not know at the time was installed (since timeline analysis is often the first step I do).  That led me quickly to what I was really looking for, thereby shortening the investigation time considerably.  I’m not saying that I wouldn’t have found what I was looking for using other methods, but adding the content of the entire registry into the timeline greatly reduced the investigation time so I think there is definitely value in it.  That being said, adding modules for log2timeline that actually parse the content of some specific keys and adding context to those last write times adds more value to the timeline than simply just the last write time and the name of the key, but it will never catch everything and every little piece of software you might have installed.  One thing that I liked about Aftertime though was that you could easily put everything into the timeline and then if you didn’t like seeing all the registry keys for example you could simply exclude them from the timeline and focus on something else, so if a particular source was somehow not useful at all, you could easily exclude it from the timeline (something that can be done using awk for instance in an ASCII file, but not something that everyone perhaps likes to do).

Timeline analysis has been getting a lot of press lately.  Harlan discussed some of the sources and usability of timeline analysis in a recent blog post. And then you’ve got few posts that describe how to create timelines, both from a live Windows machine, and from registry files. Rob Lee also posted a blog about creating timelines from shadow volume copies.

Then log2timeline has been getting some discussion as well. Paul Bobby actually pointed some bugs to me as well as posting two posts on his blog, one being a discussion of  the issues of mounting the image file using Encase and accessing log2timeline from a virtual machine. The other one about an Encase script to extract all the files that log2timeline is capable of parsing to a directory (at least most of them), to make it easy for log2timeline to parse it without the need to mount the image file.

Rob Lee also posted a blog post about super timeline creation, using among other tools, log2timeline.  I will post similar posts as Rob soon, just have to complete the new version of the tool first.  The plan is to complete it, which I hope will add some good improvements, before the SANS EU forensics summit. And speaking of the summit, the detailed agenda for the SANS EU forensics summit is up, make sure you don’t miss it.

I’ve just released a new version of log2timeline, version 0.42.  The new version includes two new input modules, one for extracting timestamps from PDF metadata and another one from McAfee anti-virus log files.  The new version also includes several bug fixes, the full changelog can be read here. The development focus will be to move the tool to version 0.50, which will introduce a new design of how timestamps and related information is handled within the framework, including a shift to TLN as the standard output format, more details can be found inside the roadmap.

log2timeline will also be included in the upcoming 2.0 release of the SIFT (SANS Investigative Forensic Toolkit) workstation, which will be available soon (and yes it is based on Ubuntu now). That way people can enjoy the tool without needing to go through the installation process with all the needed dependencies.

The agenda for the upcoming SANS EU forensics summit is up. I encourage everyone that has the change to attend this summit, there are some greate talks and of course a great change to meet some of the top experts in computer forensics in Europe.  And of course a change to meet with me and get me to implement some feature to log2timeline that you always wished was there, but for some odd reason you didn’t send me an e-mail to request it.