To begin with, and if you're interested in following along with this tutorial, I've grabbed a copy of a compromised workstation which has kindly been provided by the ForensicKB blog. Everything you'll need to get started is available here
The first step of creating a forensic timeline varies greatly and may depend much on the initial information you've been provided. Harlan Carvey, author of the Windows Forensic Analysis Toolkit books, recommends creating a timeline based on the 'minimalist approach' which allows the analyst to build their timeline layer by layer. Other analysts prefer the 'kitchen sink' type method, as Harlan describes, where an analyst dumps as much information as possible into the forensic timeline. As we'll be using many of Harlan's tools we'll be building our timeline by layers but still providing a large amount of information in our initial timeline dump. Lets start with generating an output file for the file system meta data.
For the majority of this tutorial we'll be using the timeline tools provided by Harlan here.
The are a number of ways we can do this and I'm going to go through two for the purpose of this tutorial. The first method, although not my chosen method, is using FTK Imager to provide a directory listing of our acquired image. Using the downloaded image we can automatically load this into FTK Imager which hopefully we have some familiarity with after our previous introduction.
Select the File menu and then select 'Add Evidence Item'. Next select 'Image File' press next and locate the image file you download above by selecting the browse button. Once you've selected your image press the 'Finish' button. By now you should see your forensic image and the contents of the drive listed underneath the Evidence Tree (expand the nodes to see the directories).
Highlight WinXP2.E01 underneath the evidence tree and then select the File menu again. Select the option 'Export Directory Listing' and save the output file to a location of your choice on your computer. On my computer this took five seconds to produce the output.
Now the reason why this method is not my chosen method is because although I can use this tool on a live system, to provide a directory listing, I'm unable to run it remotely on a live system automatically via a batch script. There are options however to script FTK Imager on a local forensic image which you should keep in mind when you have a hard drive to conduct investigations upon. There are additional tools that can assist running FTK against remote drives such as F-Response tools but these do come at a cost and I do not have experience in using those tools.
At this point I'd like to deviate slightly and walk through a second feature of FTK that we'll be using later in the tutorial. FTK has an ability to mount a drive to a drive letter on your computer. As we have a local image of the workstation we are investigating we can now mount this drive to a drive letter on our computer. What does this achieve? Well by doing this it allows us to run some of the timeline scripts later down the track against our mounted drive. To mount the drive within FTK select the File menu and then Image Mounting. If not already listed point the image location to your image file. See the following settings for assistance with mounting your own drive.
Lets move on and discuss the second method we have for producing a directing listing of our file system meta data.
The second method we have of producing our directory listing is using The Sleuth Kit toolset, or TSK for short, available here. In particular we'll be using the fls component to create our output file or more specifically our bodyfile. After you've downloaded the tools extract them to a location of your choice and navigate to the folder location using command prompt. Running the following command to produce your output file.
fls -i ewf -r -p -m C:/ "<Path-To-Image>\WinXP2.E01" > bodyfile.txt
The command is used because the image downloaded is in encase format and we've asked the output to recurse on directory entries (-r), display full path for each file (-p) and display output in mactime input format with dir/ as the actual mount point of the image (-m). In this case for the -m option we've selected C:/ as the root of our path.
The format of the bodyfile must be converted to TLN format before we can include this within our timeline. Fortunately Harlan has provided us with the tools to do this for us very easily. He has also provided the tools we need to convert FTK directory listing output.
Run the following command from command prompt to convert the bodyfile to TLN. In regards to the following command the -s is the computer name.
bodyfile.exe -f <Path-To-Bodyfile>\bodyfile.txt -s REG-OIP81M2WC8 > events.txt
In this case we've sent our output to the events file. We'll send a number of sources to this events file before converting it to our final timeline csv file.
As we've mounted our image in the prior steps we can now run other timeline tools to add event sources to our events file. Lets walk through some of the other events of interest. As we mounted our drive earlier using FTK we can run our commands against the mounted drive to add to our events file. In the following examples you'll notice that we output to the events file using '>>' which means that we want to append our command output to the contents already within the events file. In doing this we are able to add additional events to our file instead of overwriting what is already there if we used a single '>'.
Using the following commands to generate more events into your events file
Windows event logs
evtparse.exe -d <MountLetter>:\WINDOWS\system32\ config -t >> events.txt
pref.exe -d "<MountLetter>:\WINDOWS\Prefetch" -s REG-OIP81M2WC8 -t >> events.txt
At this point we have an initial events file which includes file system meta data, windows event logs and windows prefetch files.
If we track back at this point to the initial case description it mentions that the user noticed that the computer was responding in an unusual manner and that support had seen a number of active connections via the windows netstat command. What we need to identify is how those connections are created and which process could potentially be creating them.
There are a number of ways malware maintains persistence such as, but not limited to, the following:
- Registry keys
- DLL Search order hijacking
- Scheduled tasks
At this point we need to move onto RegRipper to gather this information and add it to our timeline. In Part 2 of this tutorial I'll be discussing how we do that and will provide further information on which RegRipper plugins we can use to gather this information.
I hope you've enjoyed Part 1 of the tutorial.