Timeline

Plaso

  • log2timeline is a command line tool to extract events from individual files, recursing a directory (e.g. mount point) or storage media image or device. log2timeline creates a plaso storage file which can be analyzed with the pinfo and psort tools.

  • psort is a command line tool to post-process plaso storage files. It allows you to filter, sort and run automatic analysis on the contents of plaso storage files.

  • psteal is a command line tool that combines the functionality of log2timeline and psort.

Plaso tools

psteal.py

This will produce a csv file containing all the events from an image

log2timeline (1st step)

Sometimes you may not want to do a complete timeline that extracts events from every discovered file. To do a more targeted timelining, the -f FILTER_FILE parameter can be used.

I usually use the filter_windows.yaml to shorten the loading time for all windows image

psort (2nd step)

I usually use the date filter to filter away the irrelevant date in this step

To see a list of support format

Docker

Also we can use docker to run log2timeline and psort as it is the latest version and we don't need to bother with the dependencies

Install docker from docker hub

Run it from your directory (mount your data directory to docker container's volume (i.e. /data)

Timeline Explorer / Elasticsearch (3rd step)

Upload to elasticsearch via commandline

Output as csv

When output with csv, we can open it with Eric Zimmermen's Timeline Explorer (see below)

Timeline Explorer by Eric Zimmerman

Color legend of the timeline explorer

  1. Load your combined csv into Timeline Explorer with <Open>

  2. Search with the filter or power filter

Timeline explorer

Shortcut key

Several useful shortcuts include:

CTRL-t: Tag or untag selected rows

CTRL-d: Bring up the Details window for super timelines

CTRL-C: Copy the selected cells (with headers) to the clipboard. Hold SHIFT to exclude the column header

Timesketch

  1. Install timesketch using docker. The detailed steps in https://github.com/google/timesketch/blob/master/docs/Installation.md

  2. Create a case after logging in https://127.0.0.1:5000

  3. Upload data using timesketch api

Upload data with Python

importing python libraries

connect to your timesketch server with your server ip, username and password

code to enumerate sketch

Output

set target sketch

use a streamer to upload the data to the server

Search queries for timesketch

LogoWindows Forensics with Plaso – Compass Security Blogblog.compass-security.com

File Download Capabilities

Topic

Supported

Timesketch and Kibana Queries, Notes

Mail Attachements

NO

There is just no parser for mail attachments but this is a case where analysts are usually well off with a commercial forensic suite.

Skype History

YES

parser:”skype”

Browser Artifacts

YES

source_short:”WEBHIST”

Downloads

YES

parser:”firefox_downloads” OR parser:”msiecf” Note that msiecf contains general browsing artifacts and is not limited to file downloads only.

ADS Zone.Identifier

NO

Open/Save MRU

CLAIMED

MRU parsers pose to be some sort of jungle yet. Plaso has a total of six different MRU list parsers[5]. Unfortunately, it is not documented which one parses which artifact. Even though they have different names, it is hard to guess which artifact they get and one definitely cannot get around digging into the source code. However, empirical tests of the six MRU list parsers did not include the NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSavePIDlMRU registry items that contains the Open/Save MRU artifacts.

Program Execution Analysis

Topic

Supported

Timesketch and Kibana Queries, Notes

UserAssist

YES

parser:”userassist”

Last-VisitedMRU

YES

“\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedPidlMRU” OR “\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedMRU”

SystemBoot Autostart Progs.

YES

parser:”windows_run”

SystemBoot Autostart Svcs.

YES

parser:”windows_services”

AppCompatCache/ Shimcache

PARTIAL

parser:”appcompatcache” The parser gets the executable which is the most important artifact. However, the shimcache would also include other information such as file size, last modification time,last update time as well as the execution flag. The parser would need to be improved to get the supplement information as well.

RecentApps

YES

“\Software\Microsoft\Windows\CurrentVersion\Search\RecentApps”

Prefetch

YES

parser:”prefetch”

LastCommands Executed

YES

“\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU” OR “\Software\Microsoft\Windows\CurrentVersion\Explorer\Policies\RunMRU” parser:”mrulist_string” AND “\CurrentVersion\Explorer\RunMRU”

Amcache.hive / RecentFile-Cache.bcf

PARTIAL

parser:”amcache” This parser was run against a Windows 10 image and it was not capable to parse events. This parser is likely to be buggy. In general, event parsing seems to be tricky as we noticed event parser to fail for various reasons.

SRUM

CLAIMED

parser:”srum” Make sure to configure the SRUM artifact files in your filter.conf file. With our setup, log2timeline had troubles to extract the /Windows/System32/SRU folder from the image and Plaso failed to properly parse it. Thus, manually extracting the folder and running the parser will yield results.

BAM/DAM

YES

“\Services\bam\UserSettings\” OR “\Services\dam\UserSettings\”

Deleted Files or File Knowledge

Topic

Supported

Timesketch and Kibana Queries, Notes

Thumbnails

NO

log2timeline/Plaso is a tool designed to extract meta information from files. Thus, it will collect timestamps from images but for analyzing media artifacts such as pictures, music or video it is recommended to rely on a commercial forensics suite.

Thumbcache

NO

See above.

WordWheelQuery

YES

“\Software\Microsoft\Windows\CurrentVersion\Explorer\WordWheelQuery”>br> parser:”mrulistex_string” AND “\WordWheelQuery”

RecycleBin

YES

parser:”recycle_bin”

Network Activity and Physical Locations

Topic

Supported

Timesketch and Kibana Queries, Notes

Network History

YES

parser:”networks”

Shares, offline caching

YES

“\Services\lanmanserver\Shares”

MappedDrives

YES

parser:”winreg/network_drives”

WLANEvent Log

YES

parser:”winevtx” AND (event_identifier:”11000″ OR event_identifier:”8001″ OR event_identifier:”8002″ OR event_identifier:”8003″ OR event_identifier:”6100″)

File/Folder Opening

Topic

Supported

Timesketch and Kibana Queries, Notes

UserAssist

YES

parser:”userassist”

Last-VisitedMRU

YES

“\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedPidlMRU” OR “\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedMRU”

SystemBoot Autostart Progs.

YES

parser:”windows_run”

SystemBoot Autostart Svcs.

YES

parser:”windows_services”

AppCompatCache/ Shimcache

PARTIAL

parser:”appcompatcache” The parser gets the executable which is the most important artifact. However, the shimcache would also include other information such as file size, last modification time,last update time as well as the execution flag. The parser would need to be improved to get the supplement information as well.

RecentApps

YES

“\Software\Microsoft\Windows\CurrentVersion\Search\RecentApps”

Prefetch

YES

parser:”prefetch”

LastCommands Executed

YES

“\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU” OR “\Software\Microsoft\Windows\CurrentVersion\Explorer\Policies\RunMRU” parser:”mrulist_string” AND “\CurrentVersion\Explorer\RunMRU”

Amcache.hive / RecentFile-Cache.bcf

PARTIAL

parser:”amcache” This parser was run against a Windows 10 image and it was not capable to parse events. This parser is likely to be buggy. In general, event parsing seems to be tricky as we noticed event parser to fail for various reasons.

SRUM

CLAIMED

parser:”srum” Make sure to configure the SRUM artifact files in your filter.conf file. With our setup, log2timeline had troubles to extract the /Windows/System32/SRU folder from the image and Plaso failed to properly parse it. Thus, manually extracting the folder and running the parser will yield results.

BAM/DAM

YES

“\Services\bam\UserSettings\” OR “\Services\dam\UserSettings\”

Account Usage

Topic

Supported

Timesketch and Kibana Queries, Notes

RDP

YES

parser:”winevtx” AND (event_identifier:”4778″ OR event_identifier:”4779″)

ServiceEvents

YES

parser:”winevtx” AND (event_identifier:”7034″ OR event_identifier:”7035″ OR event_identifier:”7036″ OR event_identifier:”7040″ OR event_identifier:”7045″ event_identifier:”4097″)

LogonTypes

YES

parser:”winevtx” AND event_identifier:”4624″ AND xml_string:”/LogonType\”\>2/” parser:”winevtx” AND event_identifier:”4624″ AND xml_string:”/LogonType\”\>3/” parser:”winevtx” AND event_identifier:”4624″ AND xml_string:”/LogonType\”\>4/” parser:”winevtx” AND event_identifier:”4624″ AND xml_string:”/LogonType\”\>5/” parser:”winevtx” AND event_identifier:”4624″ AND xml_string:”/LogonType\”\>7/” parser:”winevtx” AND event_identifier:”4624″ AND xml_string:”/LogonType\”\>8/” parser:”winevtx” AND event_identifier:”4624″ AND xml_string:”/LogonType\”\>9/” parser:”winevtx” AND event_identifier:”4624″ AND xml_string:”/LogonType\”\>10/” parser:”winevtx” AND event_identifier:”4624″ AND xml_string:”/LogonType\”\>11/” parser:”winevtx” AND event_identifier:”4624″ AND xml_string:”/LogonType\”\>12/” parser:”winevtx” AND event_identifier:”4624″ AND xml_string:”/LogonType\”\>13/”

AuthenticationEvents

YES

parser:”winevtx” AND (event_identifier:”4776″ OR event_identifier:”4768″ OR event_identifier:”4769″ OR event_identifier:”4771″)

Success/FailLogons

YES

parser:”winevtx” AND (event_identifier:”4624″ OR event_identifier:”4625″ OR event_identifier:”4634″ OR event_identifier:”4647″ OR event_identifier:”4648″ OR event_identifier:”4672″ OR event_identifier:”4720″)

External Devices, Storage

Topic

Supported

Timesketch and Kibana Queries, Notes

IDs, First/LastTime Use

PARTIAL

parser:”windows_usb_devices”parser:”windows_usbstor_devices”but the connection times are missing. These parsers get some information out of the registry such as which USB devices were connected. But the parsers do not analyze the setupapi.dev.log file which also includes some information. Currently, the the Plaso parser give some information about USB stick usage but this definitely needs improvement.

User

YES

ListGUIDs: “SYSTEM\MountedDevices” Users:”\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2″

PnPEvents

YES

parser:”winevtx” AND event_identifier:”20001″

SerialNumbers

NO

DriveLetters and Vol. Names

NO

AuditRemovable Storage

YES

parser:”winevtx” AND event_identifier:”4663″

Browser Usage

Topic

Supported

Timesketch and Kibana Queries, Notes

SearchTerms

YES

source_short:”webhist” parser:”opera_typed_history” OR parser:”file_history” OR parser:”safari_history” OR parser:”chrome_27_history” OR parser:”chrome_8_history” OR parser:”firefox_history” Mind that queries need some fine tuning with the URL search parameter i.e. AND “search” AND “q=”

History

YES

source_short:”webhist”

Cookies

YES

parser:”binary_cookies” OR parser:”chrome_cookies” OR parser:”firefox_cookies” OR parser:”msie_webcache”

Cache

YES

Query:parser:”chrome_cache” OR parser:”firefox_cache” OR parser:”msie_webcache”

Flash& Super Cookies

NO

No parser but not very relevant

SessionRestore

NO

No parser but would be nice to have one

Python code for searching on TimeSketch with jupyter notebook

import the necessary libraries for searching

First way of searching is to use the explore function

Second way of searching

DateRangeClip object is used to control the date range of the output of the query

How to create a timeline from harddrive image and memory dump with SleutKit and Volatility's timeliner plugin?

SleutKit

Extract filesystem bodyfile from .E01 file

Volatility

Run the timeliner plugin against image file

Run the mftparser volatility plugin

Combine the memory timeline and mftparser timeline to the filesytem bodyfile

Extract the combined filesystem and memory timeline

Apply whitelist

How to create a supertime line with log2timeline?

Process to create the super timeline (Source: https://dfirmadness.com/case-001-super-timeline-analysis/)

  1. Process memory image with Volatility Timeliner, Shellbags, and MFT modules into a single memory timeline body file.

  2. Process E01 image timeline data with log2timeline into a plaso dump file with selected parsers.

  3. Process the memory body file into the plaso dump file with the mactime body parser.

  4. Sort the data with psort into a CSV.

  5. Filter the CSV to remove excess Windows noise if desired.

Create body file with Volatility

  1. The MFT module will carve out Master File Table residue that was in memory at the time of capture.

  2. The Shellbags mdoule will retrieve registry information regarding Windows GUI settings for Explorer that were stored in memory.

  3. The timeliner plugin helps investigators by providing a timeline of all the events that took place when the image was acquired.

  4. The timeliner plugin groups details by time and includes process, PID, process offset, DDLs used, registry details, and other useful information.

Volatility 2

Volatility 3

Combine the body file

Timeline Dump file Creation

Triage

Creating a Triage style Super Timeline is easy. Simply using the premade filter included with Log2timeline will generate a great timeline to effectively triage a disk image.

The filter is located at /usr/share/plaso/filter_windows.txt and is designated with the -f switch. As stated above, this filter will filter on (extract) the following items:

  • MFT

  • NTFS LogFile

  • UsnJrnl

  • Recycle bin artifacts

  • Windows Registry files

  • Recent file activity

  • Jump List Files

  • Windows Event Logs

  • Windows Artifacts

  • Prefetch files

  • Browser History Artifacts

Target Timeline

Parse winevtx, bagmru, usnjrnl, prefectch, amcache, winreg_default, SRUM. Add to memory with mactime parser. Run the commands in order.

Supertimeline

PreviousBrowserNextMounting an image

Last updated

Was this helpful?