1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
|
<HTML>
<HEAD><TITLE>Autopsy Timeline Analysis Help</TITLE></HEAD>
<BODY BGCOLOR=#CCCC99>
<CENTER><H2>Timeline Mode</H2></CENTER>
<H3>Overview</H3>
<P>
For some investigations, creating a timeline of activity can be
useful to identify places where the analysis should begin. Of
course file times can be easily modified by an attacker, so they
can not be 100% trusted. But, Autopsy can create timelines of
file activity.
<P>
Files have at least three times associated with them. The details of
each time varies with the file system type.
<P>
The following times exist for UNIX file systems (EXT2FS & FFS):
<UL>
<LI><B>Modified</B>: When the file data was last
modified. This time can be modified using the utimes()
function. This time is preserved in a 'tar' archive, so it is
possible to have M-times of files prior to when they were introduced
to the system.
<LI><B>Accessed</B>: When the file data was last
accessed. This time can be modified using the utimes() function.
<LI><B>Changed</B>: When the file status (inode data)
was last changed. This time can not be set using the utimes()
function in UNIX (but it will be set when utimes() is used to modify
other values).
</UL>
The EXT2FS file system also has a Deleted time, but it is not displayed
in the timeline.
<P>
A FAT File system has the following times:
<UL>
<LI><B>Written</B>: When the file was last written to.
It is the ONLY required time in the FAT file system.
<LI><B>Accessed</B>: When the file was last accessed. In
FAT, it is only accurate to the day (not minute). It is an optional
value, so some Operating Systems may not update it.
<LI><B>Created</B>: When the file was created. It is
also optional, so some Operating Systems may not update it. In fact,
many Windows installations have a C-Time of 0 for directories such as
<TT>C:\\Windows</TT> and <TT>C:\\Program Files</TT>.
</UL>
<P>
The NTFS File system has several times, only three of which are
used in the timeline. These times are gathered from the
<TT>\$STANDARD_INFORMATION</TT> attribute.
<UL>
<LI><B>Written</B>: When the file was last written to.
<LI><B>Accessed</B>: When the file was last accessed.
<LI><B>Changed</B>: When the MFT entry was last modified.
</UL>
<H3>How to Create a Timeline</H3>
Creating a timeline takes two steps. The first step extracts and
saves the needed data from each file system images. This step
stores the data from each specific file system in a generic format.
Historically (from TCT), this file was called the <TT>body</TT>
file. The second step takes the <TT>body</TT> file as input and
generates an ASCII timeline of file activity between two specified
dates. The resulting timeline can be viewed in Autopsy or using
a text editor.
<H3>Creating the Body File</H3>
The file meta-data must be extracted from the file system images and saved
to the <TT>body</TT> file. There are three major types of files that data
can be extracted for:
<UL>
<LI><B>Allocated Files</B>:
Files that are seen when doing an 'ls' or 'dir' in a directory. In
other words, these are the files that have an allocated file name
structure.
<LI><B>Unallocated Files</B>:
Files that have been deleted, and their file name structure still
exists in the parent directory. Unallocated file name structures
are overwritten when new files are created in the same directory.
Files in this category will have a deleted name that points to a
meta data structure. If the meta data structure is currently
allocated then the entry will say (realloc) next to it.
<LI><B>Unallocated Inodes</B> (meta-data):
Files that have been deleted. When a file is deleted, its meta-data
structure is updated to reflect this. In general, the times
associated with the file are saved in the structure until it is
reallocated. Therefore, files in this category will likely not have
the original file name but these files will indicate when activity
occured. Files in this category can also be found in the
above Unallocated Files category if the file name structure still
exists. Unallocated Inode entries in the timeline have
<TT><IMG-dead-ADDR></TT> in the file name column.
</UL>
<P>
To create the <TT>body</TT> file, select the images to analyze from
the list on top. Next, select which types of data that you want to
extract. By default all types are extracted. Lastly, identify the
name of the body file to create. The file will be created in the
<TT>output</TT> directory and an entry will be added to the host config
file. You will be given the option to calculate the MD5 value of
the new file.
<H3>Creating the Timeline</H3>
The next window allows one to create a timeline based on the newly
created <TT>body</TT> file. Or, one can select the option from
the left-hand side menu. The range of dates must be selected as
well as the name of the timeline file. The resulting timeline will
use the time zone for the host.
<P>
If the images are from a
UNIX file system, then the password and group files can be used to
change the UID and GID to actual names. If the partition from the
root directory exists in the host, select it from the pull down
list and Autopsy will find the <TT>/etc/passwd</TT> and
<TT>/etc/group</TT> file contents.
<P>
The timeline will be created in the <TT>output</TT> directory.
You will be given the option to calculate the MD5 hash value of
the new file.
<H3>Viewing the Timeline</H3>
The timeline can be viewed in Autopsy. Timelines tend to be very
large though and have thousands of lines. HTML browsers can not
handle tables of this size very well and typically have trouble
processing it. Therefore, Autopsy only allows you to view the
timeline one month at a time. It will likely be easier to open a
shell and examine the timeline in a text editor or pager such as
'less' or 'more'.
<P>
The 'summary' link will show a page that contains a monthly summary
of activity. It shows how many many events occured in that month
and links to the details. This allows one to get a high level
view of when a lot of activity last occured.
<P>
The following columns are in the timeline (in order):
<UL>
<LI><B>Date and time</B>of the activity. If no date is given,
then the activity occured at the same time as the previous entry
with a time.
<LI><B>Size</B>. The size of the file.
<LI><B>Entry Type</B>. The 'm', 'a', and 'c' letters will exist to
identify which of the activity types this entry corresponds to.
<LI><B>Mode</B. The UNIX mode is shown.
<LI><B>UID</B>. The User Id or User name is shown. If a password
file was provided when the timeline was created, then the colunn should
only have names.
<LI><B>GID</B>. The Group Id or Group name is shown. If a group
file was provided when the timeline was created, then the colunn should
only have names.
<LI><B>Meta Data Address</B>. The inode or MFT entry address for the
associated file.
<LI><B>File Name</B>. The name of the file and the destination of a
symbolic link. Deleted entries will have '(deleted)' at the end and
deleted entries that point to an allocated meta data structure will
have '(realloc)'. Entries that are for unallocated meta data structures
have the following name format: <IMG-dead-ADDR>. For example,
<TT><hda1.dd-dead-334>.
</UL>
<HR>
<FONT SIZE=0>Brian Carrier</FONT>
</BODY></HTML>
|
