Timeline by the parts

Timeline

Using Harlan Carvey’s tools to create a timeline.

http://code.google.com/p/winforensicaanalysis/downloads/list

You must have perl installed at this time I have:

This is perl 5, version 12, subversion 4 (v5.12.4) built for MSWin32-x86-multi-thread

(with 9 registered patches, see perl -V for more detail)

Copyright 1987-2010, Larry Wall

Binary build 1205 [294981] provided by ActiveState http://www.ActiveState.com

Built Jun 20 2011 18:35:25

Directory of D:\FT\HC\tln_tools

11/07/2011 06:09 PM <DIR> .

11/07/2011 06:09 PM <DIR> ..

05/23/2011 09:53 AM 748,053 bodyfile.exe

08/09/2010 09:15 AM 2,088 bodyfile.pl

05/23/2011 09:54 AM 752,853 evtparse.exe

06/07/2010 12:57 PM 6,910 evtparse.pl

05/23/2011 09:54 AM 48,633 evtrpt.exe

06/10/2009 08:01 PM 6,349 evtrpt.pl

05/23/2011 09:54 AM 754,123 evtxparse.exe

08/17/2010 11:17 AM 3,746 evtxparse.pl

05/23/2011 12:13 PM 2,106 ftkparse.pl

05/23/2011 09:52 AM 374,784 p2x588.dll

06/08/2011 12:13 PM 4,039 parse.pl

05/23/2011 09:55 AM 753,190 pref.exe

12/16/2009 09:08 AM 7,274 pref.pl

07/23/2009 01:00 PM 3,816 recbin.pl

05/23/2011 09:52 AM 1,081,261 regtime.exe

05/23/2011 09:51 AM 2,675 regtime.pl

05/23/2011 09:57 AM 1,570,586 tln2.exe

05/03/2010 08:39 AM 9,109 tln2.pl

08/03/2010 01:48 PM 2,938 urlcache.pl

Files dates From an Image

D:\FT\sleuthkit\bin>mmls -t dos -i raw IMAGE.DD

DOS Partition Table

Offset Sector: 0

Units are in 512-byte sectors

Slot Start End Length Description

00: Meta 0000000000 0000000000 0000000001 Primary Table (#0)

01: ----- 0000000000 0000000062 0000000063 Unallocated

02: 00:01 0000000063 0062926604 0062926542 NTFS (0x07)

03: 00:02 0062926605 0073417049 0010490445 Win95 FAT32 Hidden (0x1C)

04: Meta 0073417050 0156296384 0082879335 Win95 Extended (0x0F)

05: Meta 0073417050 0073417050 0000000001 Extended Table (#1)

06: ----- 0073417050 0073417112 0000000063 Unallocated

07: 01:00 0073417113 0156296384 0082879272 NTFS (0x07)

08: ----- 0156296385 0156301487 0000005103 Unallocated

fls -o 63 -f ntfs -m c:/ -p -r IMAGE.DD > bodyfile

bodyfile.exe -s HOSTNAME -f bodyfile events.txt

From live machine

From FLS saved data · First do the %COMPUTERNAME%-fls-body.fls - Files from the C drive

This is a single command line

D:\FT\HC\tln_tools>bodyfile.exe -s %COMPUTERNAME% –f

D:\Mal-invest\7-nov\data\filedirs\%COMPUTERNAME%-fls-body.fls >> D:\Mal-invest\7-nov\tl\events.txt

· Then do the deleted files %COMPUTERNAME%-fls-deleted-body.fls

This is a single command line

D:\FT\HC\tln_tools>bodyfile.exe -s %COMPUTERNAME% -f

D:\Mal-invest\7-nov\data\filedirs\%COMPUTERNAME%-fls-deleted-body.fls >> D:\Mal-invest\7-nov\tl\events.txt

Event Logs

· Add items from the system event log %COMPUTERNAME%-sysevent.evt

D:\FT\HC\tln_tools>evtparse.pl -e d:\Mal-invest\7-nov\data\Event\%COMPUTERNAME%-sysevent.evt –t

>> D:\Mal-invest\7-nov\tl\events.txt

· Add items from the application event log %COMPUTERNAME%-appevent.evt

D:\FT\HC\tln_tools>evtparse.pl -e d:\Mal-invest\7-nov\data\Event\%COMPUTERNAME%-appevent.evt -t

>> D:\Mal-invest\7-nov\tl\events.txt

· Add items from the security logs %COMPUTERNAME%-secevent.evt

D:\FT\HC\tln_tools>evtparse.pl -e d:\Mal-invest\7-nov\data\Event\%COMPUTERNAME%-secevent.evt –t

>> D:\Mal-invest\7-nov\tl\events.txt

Registry

D:\FT\HC\tln_tools>regtime.exe

regtime v. 1.0.20110509

Traverse through a Registry hive file, listing all keys and their LastWrite

times. Output is displayed sorted by most recent time first, and is suitable

for use with TSK v3.0 fls and mactime

-m hive.........Hive file to prepend to key paths (use / separator, use _

or enclose in quotes if spaces in path)

-r hive.........Hive file to parse

-s name.........System name

-u name.........User name

-h..............Help (print this information)

Ex: C:>regtime -m HKEY_USER -r NTUSER.DAT

C:>regtime -m HKLM/System -r system

copyright 2011 Quantum Analytics Research, LLC

· Add the HKEY_User data

D:\FT\HC\tln_tools>regtime.exe -m HKEY_USER -s %COMPUTERNAME% –r

d:\Mal-invest\7-nov\data\Registry\-ntuser.dat >> D:\Mal-invest\7-nov\tl\events.txt

· Add the security / SAM data

D:\FT\HC\tln_tools>regtime.exe -s %COMPUTERNAME% -r d:\Mal-invest\7-nov\data\Registry\%COMPUTERNAME%-SAM.reg >> D:\Mal-invest\7-nov\tl\events.txt

· Add the Software hive

D:\FT\HC\tln_tools>regtime.exe -s %COMPUTERNAME% -r d:\Mal-invest\7-nov\data\Registry\%COMPUTERNAME%-SOFTWARE.reg >> D:\Mal-invest\7-nov\tl\events.txt

· Add the System hive

D:\FT\HC\tln_tools>regtime.exe -s %COMPUTERNAME% -r d:\Mal-invest\7-nov\data\Registry\%COMPUTERNAME%-SYSTEM.reg >> D:\Mal-invest\7-nov\tl\events.txt

Prefetch folder

pref [option]

Parse contents of XP/Vista Prefetch files/directory

-v ............parse Vista Prefetch files (default: XP)

-d directory...parse all files in directory

-f file........parse a single Prefetch file

-p ............list filepath strings (only with -f)

-i ............list volume information block data

-c ............Comma-separated (.csv) output (open in Excel)

Gets ONLY MAC times and runcount/last runtime

-t ............get .pf metadata in TLN format

-s server......add name of server to TLN ouput

-h ............Help (print this information)

Ex: C:\>pref -v -f <path_to_Pretch_file>

C:\>pref -d C:\Windows\Prefetch -c

**All times printed as GMT/UTC

copyright 2009 H. Carvey

D:\FT\HC\tln_tools>pref -d d:\Mal-invest\7-nov\data\Prefetch\ -s %COMPUTERNAME%

>> D:\Mal-invest\7-nov\tl\prefetch.txt

Sample

d:\Mal-invest\7-nov\data\Prefetch\WSCRIPT.EXE-09F74362.pf Fri Nov 4 19:16:05 2011 (2)

d:\Mal-invest\7-nov\data\Prefetch\XCOPY.EXE-01BBF7D7.pf Fri Nov 4 19:28:33 2011 (9)

d:\Mal-invest\7-nov\data\Prefetch\XCOPY.EXE-21FC761A.pf Fri Nov 4 16:37:01 2011 (22)

d:\Mal-invest\7-nov\data\Prefetch\XCOPY.EXE-24A5759D.pf Fri Nov 4 19:12:54 2011 (2)

d:\Mal-invest\7-nov\data\Prefetch\XCOPY.EXE-2EBC4D03.pf Fri Nov 4 19:03:36 2011 (6)

Sample TLN

D:\FT\HC\tln_tools>pref -d d:\Mal-invest\7-nov\data\Prefetch\ -s %COMPUTERNAME% –t

>> D:\Mal-invest\7-nov\tl\events.txt

1320434165|PREF|%COMPUTERNAME%||WSCRIPT.EXE-09F74362.pf last run (2)

1320434913|PREF|%COMPUTERNAME%||XCOPY.EXE-01BBF7D7.pf last run (9)

1320424621|PREF|%COMPUTERNAME%||XCOPY.EXE-21FC761A.pf last run (22)

1320433974|PREF|%COMPUTERNAME%||XCOPY.EXE-24A5759D.pf last run (2)

1320433416|PREF|%COMPUTERNAME%||XCOPY.EXE-2EBC4D03.pf last run (6)

Internet history IE

D:\FT\HC\tln_tools>urlcache.pl -f d:\Mal-invest\7-nov\data\History\History.IE5\index.dat

>> D:\Mal-invest\7-nov\tl\events.txt

# You must install win32::urlcache use ppm install.

To add additional information

Creating Timeline

D:\FT\HC\tln_tools>parse.pl

parse [option]

Parse contents event file to produce a timeline; output goes to STDOUT

-f file........event file to be parsed; must be 5-field TLN

format

-c ............CSV output format (for opening in Excel), time in

YYYYMMDDhhmmss format

-r range ......range of dates, MM/DD/YYYY-MM/DD/YYYY format; time range of

00:00:00 is automatically added to the first date, and

23:59:59 is automatically added to the second date.

-h ............Help (print this information)

Ex: C:\>parse -f events.txt > timeline.txt

C:\>parse -f events.txt -r 02/12/2008-03/16/2008

C:\>parse -f events.txt -c > timeline.csv

**All times printed as GMT/UTC

copyright 2011 Quantum Analytics Research, LLC

· Create timeline for full range of data

D:\FT\HC\tln_tools>parse.pl -f d:\Mal-invest\7-nov\tl\events.txt >> d:\Mal-invest\7-nov\tl\timeline.txt

· Create timeline for date of interest

D:\FT\HC\tln_tools>parse.pl -f d:\Mal-invest\7-nov\tl\events.txt -r 11/01/2011-11/07/2011 > d:\Mal-invest\7-nov\tl\timeline-1nov.txt

Example timeline

Fri Nov 4 16:19:54 2011 Z

FILE %COMPUTERNAME% - M... [3072] C:/Documents and Settings/Administrator/Local Settings/History/History.IE5:DG1__DS_DIR_HDR

FILE %COMPUTERNAME% - M... [0] C:/Documents and Settings/Administrator/Local Settings/History/History.IE5:DG1__DS_VOL_CACHE_HDR

FILE %COMPUTERNAME% - M... [56] C:/Documents and Settings/Administrator/Local Settings/History/History.IE5

FILE %COMPUTERNAME% - M... [3072] C:/Documents and Settings/Administrator/Local Settings/History/History.IE5/.:DG1__DS_DIR_HDR

FILE %COMPUTERNAME% - M... [0] C:/Documents and Settings/Administrator/Local Settings/History/History.IE5/.:DG1__DS_VOL_CACHE_HDR

FILE %COMPUTERNAME% - M..B [3072] C:/Documents and Settings/Administrator/Local Settings/History/History.IE5/MSHist012011110420111105:DG1__DS_DIR_HDR

FILE %COMPUTERNAME% - M..B [0] C:/Documents and Settings/Administrator/Local Settings/History/History.IE5/MSHist012011110420111105:DG1__DS_VOL_CACHE_HDR

FILE %COMPUTERNAME% - M..B [152] C:/Documents and Settings/Administrator/Local Settings/History/History.IE5/MSHist012011110420111105

FILE %COMPUTERNAME% - M..B [3072] C:/Documents and Settings/Administrator/Local Settings/History/History.IE5/MSHist012011110420111105/.:DG1__DS_DIR_HDR

FILE %COMPUTERNAME% - M..B [0] C:/Documents and Settings/Administrator/Local Settings/History/History.IE5/MSHist012011110420111105/.:DG1__DS_VOL_CACHE_HDR

FILE %COMPUTERNAME% - MA.B [32768] C:/Documents and Settings/Administrator/Local Settings/History/History.IE5/MSHist012011110420111105/index.dat

FILE %COMPUTERNAME% - ...B [3072] C:/Documents and Settings/Administrator/Local Settings/Temporary Internet Files/Content.IE5/NB4UH3WI:DG1__DS_DIR_HDR

FILE %COMPUTERNAME% - ...B [0] C:/Documents and Settings/Administrator/Local Settings/Temporary Internet Files/Content.IE5/NB4UH3WI:DG1__DS_VOL_CACHE_HDR

FILE %COMPUTERNAME% - ...B [56] C:/Documents and Settings/Administrator/Local Settings/Temporary Internet Files/Content.IE5/NB4UH3WI

FILE %COMPUTERNAME% - ...B [3072] C:/Documents and Settings/Administrator/Local Settings/Temporary Internet Files/Content.IE5/NB4UH3WI/.:DG1__DS_DIR_HDR

FILE %COMPUTERNAME% - ...B [0] C:/Documents and Settings/Administrator/Local Settings/Temporary Internet Files/Content.IE5/NB4UH3WI/.:DG1__DS_VOL_CACHE_HDR

FILE %COMPUTERNAME% - MA.B [67] C:/Documents and Settings/Administrator/Local Settings/Temporary Internet Files/Content.IE5/NB4UH3WI/desktop.ini

FILE %COMPUTERNAME% - M..B [12305] C:/Documents and Settings/Administrator/Local Settings/Temporary Internet Files/Content.IE5/NB4UH3WI/desktop.rogers[1].htm

Fri Nov 4 16:19:51 2011 Z

FILE %COMPUTERNAME% - .A.. [122] C:/Documents and Settings/Administrator/Favorites/Desktop.ini

Fri Nov 4 16:19:50 2011 Z

FILE %COMPUTERNAME% - M..B [12305] C:/WINDOWS/system32/Microsoft/Protect/S-1-5-18/User/f0c833d5-c4c4-464d-af42-54c61be88c4e

FILE %COMPUTERNAME% - M.C. [24] C:/WINDOWS/system32/Microsoft/Protect/S-1-5-18/User/Preferred

FILE %COMPUTERNAME% - .A.. [68096] C:/WINDOWS/system32/shgina.dll

REG %COMPUTERNAME% - M... HKEY_USER/Software/Microsoft/Windows/CurrentVersion/Internet Settings/Digest/Hosts/digest01D70000n4d:digest01D70000n4d

Fri Nov 4 16:19:49 2011 Z

EVT ROGERS-4D6F667D N/A - W32Time/35;Info;time.windows.com (ntp.m|0x1|10.67.31.130:123->65.55.21.21:123)

Thu Nov 3 09:40:00 2011 Z

FILE %COMPUTERNAME% - ...B [7089637] C:/Program Files/Common Files/McAfee/Engine/avvclean.dat

FILE %COMPUTERNAME% - ...B [2587101] C:/Program Files/Common Files/McAfee/Engine/avvnames.dat

FILE %COMPUTERNAME% - ...B [173726621] C:/Program Files/Common Files/McAfee/Engine/avvscan.dat

Wed Nov 2 23:19:05 2011 Z

FILE %COMPUTERNAME% - ..C. [31286] C:/XPRSS/IMS/bin/Custom.ini

Wed Nov 2 23:17:52 2011 Z

FILE %COMPUTERNAME% - M... [31286] C:/XPRSS/IMS/bin/Custom.ini

Wed Nov 2 14:55:00 2011 Z

EMAIL %COMPUTERNAME% Sam Iam - SPAM Email