Timeline
Last updated
Last updated
log2timeline is a command line tool to extract events from individual files, recursing a directory (e.g. mount point) or storage media image or device. log2timeline creates a plaso storage file which can be analyzed with the pinfo and psort tools.
psort is a command line tool to post-process plaso storage files. It allows you to filter, sort and run automatic analysis on the contents of plaso storage files.
psteal is a command line tool that combines the functionality of log2timeline and psort.
This will produce a csv file containing all the events from an image
Sometimes you may not want to do a complete timeline that extracts events from every discovered file. To do a more targeted timelining, the -f FILTER_FILE parameter can be used.
I usually use the filter_windows.yaml to shorten the loading time for all windows image
I usually use the date filter to filter away the irrelevant date in this step
To see a list of support format
Also we can use docker to run log2timeline and psort as it is the latest version and we don't need to bother with the dependencies
Install docker from docker hub
Run it from your directory (mount your data directory to docker container's volume (i.e. /data)
When output with csv, we can open it with Eric Zimmermen's Timeline Explorer (see below)
Load your combined csv into Timeline Explorer with <Open>
Search with the filter or power filter
Several useful shortcuts include:
CTRL-t: Tag or untag selected rows
CTRL-d: Bring up the Details window for super timelines
CTRL-C: Copy the selected cells (with headers) to the clipboard. Hold SHIFT to exclude the column header
Install timesketch using docker. The detailed steps in https://github.com/google/timesketch/blob/master/docs/Installation.md
Create a case after logging in https://127.0.0.1:5000
Upload data using timesketch api
importing python libraries
connect to your timesketch server with your server ip, username and password
code to enumerate sketch
Output
set target sketch
use a streamer to upload the data to the server
Topic
Supported
Timesketch and Kibana Queries, Notes
Mail Attachements
NO
There is just no parser for mail attachments but this is a case where analysts are usually well off with a commercial forensic suite.
Skype History
YES
parser:”skype”
Browser Artifacts
YES
source_short:”WEBHIST”
Downloads
YES
parser:”firefox_downloads” OR parser:”msiecf” Note that msiecf contains general browsing artifacts and is not limited to file downloads only.
ADS Zone.Identifier
NO
Open/Save MRU
CLAIMED
MRU parsers pose to be some sort of jungle yet. Plaso has a total of six different MRU list parsers[5]. Unfortunately, it is not documented which one parses which artifact. Even though they have different names, it is hard to guess which artifact they get and one definitely cannot get around digging into the source code. However, empirical tests of the six MRU list parsers did not include the NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSavePIDlMRU registry items that contains the Open/Save MRU artifacts.
Topic
Supported
Timesketch and Kibana Queries, Notes
UserAssist
YES
parser:”userassist”
Last-VisitedMRU
YES
“\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedPidlMRU” OR “\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedMRU”
SystemBoot Autostart Progs.
YES
parser:”windows_run”
SystemBoot Autostart Svcs.
YES
parser:”windows_services”
AppCompatCache/ Shimcache
PARTIAL
parser:”appcompatcache” The parser gets the executable which is the most important artifact. However, the shimcache would also include other information such as file size, last modification time,last update time as well as the execution flag. The parser would need to be improved to get the supplement information as well.
RecentApps
YES
“\Software\Microsoft\Windows\CurrentVersion\Search\RecentApps”
Prefetch
YES
parser:”prefetch”
LastCommands Executed
YES
“\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU” OR “\Software\Microsoft\Windows\CurrentVersion\Explorer\Policies\RunMRU” parser:”mrulist_string” AND “\CurrentVersion\Explorer\RunMRU”
Amcache.hive / RecentFile-Cache.bcf
PARTIAL
parser:”amcache” This parser was run against a Windows 10 image and it was not capable to parse events. This parser is likely to be buggy. In general, event parsing seems to be tricky as we noticed event parser to fail for various reasons.
SRUM
CLAIMED
parser:”srum” Make sure to configure the SRUM artifact files in your filter.conf file. With our setup, log2timeline had troubles to extract the /Windows/System32/SRU folder from the image and Plaso failed to properly parse it. Thus, manually extracting the folder and running the parser will yield results.
BAM/DAM
YES
“\Services\bam\UserSettings\” OR “\Services\dam\UserSettings\”
Topic
Supported
Timesketch and Kibana Queries, Notes
Thumbnails
NO
log2timeline/Plaso is a tool designed to extract meta information from files. Thus, it will collect timestamps from images but for analyzing media artifacts such as pictures, music or video it is recommended to rely on a commercial forensics suite.
Thumbcache
NO
See above.
WordWheelQuery
YES
“\Software\Microsoft\Windows\CurrentVersion\Explorer\WordWheelQuery”>br> parser:”mrulistex_string” AND “\WordWheelQuery”
RecycleBin
YES
parser:”recycle_bin”
Topic
Supported
Timesketch and Kibana Queries, Notes
Network History
YES
parser:”networks”
Shares, offline caching
YES
“\Services\lanmanserver\Shares”
MappedDrives
YES
parser:”winreg/network_drives”
WLANEvent Log
YES
parser:”winevtx” AND (event_identifier:”11000″ OR event_identifier:”8001″ OR event_identifier:”8002″ OR event_identifier:”8003″ OR event_identifier:”6100″)
Topic
Supported
Timesketch and Kibana Queries, Notes
UserAssist
YES
parser:”userassist”
Last-VisitedMRU
YES
“\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedPidlMRU” OR “\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedMRU”
SystemBoot Autostart Progs.
YES
parser:”windows_run”
SystemBoot Autostart Svcs.
YES
parser:”windows_services”
AppCompatCache/ Shimcache
PARTIAL
parser:”appcompatcache” The parser gets the executable which is the most important artifact. However, the shimcache would also include other information such as file size, last modification time,last update time as well as the execution flag. The parser would need to be improved to get the supplement information as well.
RecentApps
YES
“\Software\Microsoft\Windows\CurrentVersion\Search\RecentApps”
Prefetch
YES
parser:”prefetch”
LastCommands Executed
YES
“\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU” OR “\Software\Microsoft\Windows\CurrentVersion\Explorer\Policies\RunMRU” parser:”mrulist_string” AND “\CurrentVersion\Explorer\RunMRU”
Amcache.hive / RecentFile-Cache.bcf
PARTIAL
parser:”amcache” This parser was run against a Windows 10 image and it was not capable to parse events. This parser is likely to be buggy. In general, event parsing seems to be tricky as we noticed event parser to fail for various reasons.
SRUM
CLAIMED
parser:”srum” Make sure to configure the SRUM artifact files in your filter.conf file. With our setup, log2timeline had troubles to extract the /Windows/System32/SRU folder from the image and Plaso failed to properly parse it. Thus, manually extracting the folder and running the parser will yield results.
BAM/DAM
YES
“\Services\bam\UserSettings\” OR “\Services\dam\UserSettings\”
Topic
Supported
Timesketch and Kibana Queries, Notes
RDP
YES
parser:”winevtx” AND (event_identifier:”4778″ OR event_identifier:”4779″)
ServiceEvents
YES
parser:”winevtx” AND (event_identifier:”7034″ OR event_identifier:”7035″ OR event_identifier:”7036″ OR event_identifier:”7040″ OR event_identifier:”7045″ event_identifier:”4097″)
LogonTypes
YES
parser:”winevtx” AND event_identifier:”4624″ AND xml_string:”/LogonType\”\>2/” parser:”winevtx” AND event_identifier:”4624″ AND xml_string:”/LogonType\”\>3/” parser:”winevtx” AND event_identifier:”4624″ AND xml_string:”/LogonType\”\>4/” parser:”winevtx” AND event_identifier:”4624″ AND xml_string:”/LogonType\”\>5/” parser:”winevtx” AND event_identifier:”4624″ AND xml_string:”/LogonType\”\>7/” parser:”winevtx” AND event_identifier:”4624″ AND xml_string:”/LogonType\”\>8/” parser:”winevtx” AND event_identifier:”4624″ AND xml_string:”/LogonType\”\>9/” parser:”winevtx” AND event_identifier:”4624″ AND xml_string:”/LogonType\”\>10/” parser:”winevtx” AND event_identifier:”4624″ AND xml_string:”/LogonType\”\>11/” parser:”winevtx” AND event_identifier:”4624″ AND xml_string:”/LogonType\”\>12/” parser:”winevtx” AND event_identifier:”4624″ AND xml_string:”/LogonType\”\>13/”
AuthenticationEvents
YES
parser:”winevtx” AND (event_identifier:”4776″ OR event_identifier:”4768″ OR event_identifier:”4769″ OR event_identifier:”4771″)
Success/FailLogons
YES
parser:”winevtx” AND (event_identifier:”4624″ OR event_identifier:”4625″ OR event_identifier:”4634″ OR event_identifier:”4647″ OR event_identifier:”4648″ OR event_identifier:”4672″ OR event_identifier:”4720″)
Topic
Supported
Timesketch and Kibana Queries, Notes
IDs, First/LastTime Use
PARTIAL
parser:”windows_usb_devices”parser:”windows_usbstor_devices”but the connection times are missing. These parsers get some information out of the registry such as which USB devices were connected. But the parsers do not analyze the setupapi.dev.log file which also includes some information. Currently, the the Plaso parser give some information about USB stick usage but this definitely needs improvement.
User
YES
ListGUIDs: “SYSTEM\MountedDevices” Users:”\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2″
PnPEvents
YES
parser:”winevtx” AND event_identifier:”20001″
SerialNumbers
NO
DriveLetters and Vol. Names
NO
AuditRemovable Storage
YES
parser:”winevtx” AND event_identifier:”4663″
Topic
Supported
Timesketch and Kibana Queries, Notes
SearchTerms
YES
source_short:”webhist” parser:”opera_typed_history” OR parser:”file_history” OR parser:”safari_history” OR parser:”chrome_27_history” OR parser:”chrome_8_history” OR parser:”firefox_history” Mind that queries need some fine tuning with the URL search parameter i.e. AND “search” AND “q=”
History
YES
source_short:”webhist”
Cookies
YES
parser:”binary_cookies” OR parser:”chrome_cookies” OR parser:”firefox_cookies” OR parser:”msie_webcache”
Cache
YES
Query:parser:”chrome_cache” OR parser:”firefox_cache” OR parser:”msie_webcache”
Flash& Super Cookies
NO
No parser but not very relevant
SessionRestore
NO
No parser but would be nice to have one
import the necessary libraries for searching
First way of searching is to use the explore function
Second way of searching
DateRangeClip object is used to control the date range of the output of the query
Extract filesystem bodyfile from .E01 file
Run the timeliner plugin against image file
Run the mftparser volatility plugin
Combine the memory timeline and mftparser timeline to the filesytem bodyfile
Extract the combined filesystem and memory timeline
Apply whitelist
Process memory image with Volatility Timeliner, Shellbags, and MFT modules into a single memory timeline body file.
Process E01 image timeline data with log2timeline into a plaso dump file with selected parsers.
Process the memory body file into the plaso dump file with the mactime body parser.
Sort the data with psort into a CSV.
Filter the CSV to remove excess Windows noise if desired.
The MFT module will carve out Master File Table residue that was in memory at the time of capture.
The Shellbags mdoule will retrieve registry information regarding Windows GUI settings for Explorer that were stored in memory.
The timeliner plugin helps investigators by providing a timeline of all the events that took place when the image was acquired.
The timeliner plugin groups details by time and includes process, PID, process offset, DDLs used, registry details, and other useful information.
Creating a Triage style Super Timeline is easy. Simply using the premade filter included with Log2timeline will generate a great timeline to effectively triage a disk image.
The filter is located at /usr/share/plaso/filter_windows.txt and is designated with the -f switch. As stated above, this filter will filter on (extract) the following items:
MFT
NTFS LogFile
UsnJrnl
Recycle bin artifacts
Windows Registry files
Recent file activity
Jump List Files
Windows Event Logs
Windows Artifacts
Prefetch files
Browser History Artifacts
Parse winevtx, bagmru, usnjrnl, prefectch, amcache, winreg_default, SRUM. Add to memory with mactime parser. Run the commands in order.
