Bruce Nikkel timelines.pdf
Bruce Nikkel timelines.pdf
Bruce Nikkel timelines.pdf
Kartei Details
| Karten | 11 |
|---|---|
| Sprache | English |
| Kategorie | Informatik |
| Stufe | Universität |
| Erstellt / Aktualisiert | 20.06.2019 / 01.07.2020 |
| Weblink |
https://card2brain.ch/box/20190620_bruce_nikkel_timelines_pdf
|
| Einbinden |
<iframe src="https://card2brain.ch/box/20190620_bruce_nikkel_timelines_pdf/embed" width="780" height="150" scrolling="no" frameborder="0"></iframe>
|
Why are timelines important in digital forensics and why are timelines used?
Timelines are used for:
- digital archaelogy
- reconstruction past events
- Used to answer questions of: Who, What, Where, When, How
- to understand what happend exactly
what can be is the problem with time stamps and what can be done against the problem?
We have a lot of differnt timestamps, this is very useful
- but accuracy is not always perfect
What can be done against this
- correlation with multiple other sources helps
What is the "correct" way to write numeric dates?
YYYY-MM-DD
What are the typical timestamps on a filesystem?
MACB
- Modify - last ime contents of a file where modified
- Access - last time contents of a file were accessed
- Change - last time attributes (inode or mft) were changed
- Birth - time the file was originally created
[MFT = managed file transfer]
What variations in time stamps can there be depending on the OS?
- Not all filesystems have a creation timestamp (not POSIX standard)
- Some filesystems have additional timestamps (HFS has a Backup timestamp)
- OS's can disable last accessed timestamps (Linux mount option, Windows registry key)
How can you build a timeline of a filesystem?
Sleuthkit's mactime tool
- creates a text based timeline, one line per timestamp
- takes "time machine" format as input
[bonus some commands]
Other Sluthkit commands generate "time machine" output:
- fls -m partition1 /dev/sda1
- fls -m partition2 /dev/sda2
- fls -m disk2 /dev/sdb1
- ils -m /dev/sda1
Piping into mactime creates timeline file for analysis:
- flag -d makes CSV output
- fls -r -m partition1 /dev/sda1 | mactime -d
- fls -r -m partition1 -o 2048 image.dd | mactime -d
- cat fls1.out fls2.out fls3.out | mactime -d
fls output from multiple filesystems can be in one singel timeline.
What are some of the chalanges when dealing with timestamps?
- clock drift, skew -> timestamps can be inacurate
- OS delays (non-realtime),
- granularity -> which file came before which, may not be clear.
- which timezone is the timestamp from -> problem in global investigations over multiple timezones
- summer/winter times (regions switch at differnt times)
- malicious changing of timestamps (anti-forensics, timestomp)
Sleuthkit has flags that can be used to adjust the time or the time zone.
Why should you never completely trust a timestamp?
There is always a possiblity of errors and anti-forensic activity.
What is a "supertimeline"?
A "supertimeline" brings timestamps from multiple sources together.
Name some sources for of timestamps that can be used in a supertimeline?
- filesystem timestamps (MACB)
- logs (syslog, MS event, application, firewall, AV)
- browser history, cookies, cache, bookmarks
- Windows registry
- email files
- office docs
- exif data (metadata from pics/vids)
- recycle/trash bins
- Win prefeth, restore, TLN, LNK files, other MS formats
- volatility output files
- captured network traffic (PCAP files)
Name a tool that can be used to generate a supertimeline.
log2time/plaso is a python supertimeline framework, has many parsers to extract timestamps from differnt file types.
