1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
|
File Activity Timelines
Sleuth Kit Reference Document
http://www.sleuthkit.org
Brian Carrier
Last Updated: June 2003
INTRODUCTION
=======================================================================
Creating a timeline of file activity will give an investigator
clues regarding where to probe further. This document will describe
how to generate one using The Sleuth Kit. The timelines in The Sleuth
Kit allow one to quickly get a high-level look at system activity,
such as when files were compiled and when archives were opened.
BACKGROUND
=======================================================================
Many files and directories have times associated with them. The
quantity and description of which depend on the file system type.
FFS file systems have a Modified, Accessed, and Changed time
associated with them. EXT2FS file systems have a Modified, Accessed,
Changed, and Deleted time. FAT stores the Written, Accessed, and
Created time, although by spec the Created and Access times are
optional and the Access time is only accurate to the day.
TIMELINE CREATION
=======================================================================
The creation of a file activity timeline in The Sleuth Kit has
three phases.
1. Gather file data. Using the 'fls' tool, the data associated with
allocated and some unallocated files can be gathered. To do this
requires the '-m' argument with the '-r' flag to gather all files.
This needs to be done for each partition image.
# fls -f openbsd -m / -r images/root.dd > data/body
# fls -f openbsd -m /var/ -r images/var.dd >> data/body
# fls -f openbsd -m /usr/ -r images/usr.dd >> data/body
NOTE: Some systems delete the link between deleted file names and
meta data, such as Solaris, so only information about allocated
files will be useful.
NOTE: This replaces the actions of 'grave-robber -m' in TCT. The
'mac-robber' tool (on the www.sleuthkit.org web site) can also be
used to gather allocated file data on a mounted file system.
'mac-robber' is useful for file systems where tools do not exist
(such as AIX jfs).
2. Gather unallocated meta data. Using the 'ils' tool, the data
associated with unallocated meta data can be gathered. When files
are deleted, the times associated with the file are updated.
Although many times we may not be able to link the original name
to the meta data, it will still give some clue with respect to when
activity occurred. This uses the '-m' flag of 'ils'.
# ils -f openbsd -m images/root.dd >> data/body
# ils -f openbsd -m images/var.dd >> data/body
# ils -f openbsd -m images/usr.dd >> data/body
NOTE: Because of the way that FAT stores time, the timezone is
needed while executing 'ils'. If you will be giving 'mactime' a
timezone to use then set the TZ environment variable:
# set TZ=EST5EDT
3. Format the data nicely. The 'body' file now needs to be run
through the 'mactime' program to sort it and make it organized.
# mactime -b data/body 3/01/2002 > tl.03.01.2002
The above command generates a timeline of file activity from the
previously created data/body file for all activity starting in
March. If the /etc/passwd or /etc/group files are known, they can
be specified using the '-p' and '-g' flags. Otherwise the numerical
values will be displayed. The '-z' flag can be used to specify
the time zone.
# mactime -b data/body -p data/passwd -g data/group 3/01/2002
> tl.03.01.2002
The output format has changed slightly since the 'mactime' in TCT. The
inode value is now displayed in a separate column. Previously it was
not displayed.
Some example outputs of mactime will now be shown. The next two
entries are for a deleted socket in an EXT2FS image:
Wed Mar 20 2002 16:56:12 0 ..c s/srwxrwxr-x 500 500 127 /tmp/socket1 (deleted)
0 ..c srwxrwxr-x 500 500 127 <linux.dd-dead-127>
The first is the 'fls' entry and the second is the corresponding
entry from 'ils'. While it may seem redundant to show both, many
times 'fls' will not show the deleted file name because the entry
has been reallocated. Therefore, just the 'ils' dead entry will
appear and the investigator will not know the original path location.
The first 0 is the file size. The "..c" string means that this
entry is for the "Change" value. The dots are replaced with 'm'
or 'a' for other entry types (deleted entries are not created for
EXT2FS). The next string is the file system mode. The entries
from 'fls' will have the directory entry type first, followed by
a slash and the mode from the inode entry. 'ils' entries will only
have the inode mode. The next two are the UID and GID (or names
if the group and passwd file are specified), followed by the inode.
The final entry is the file name (or <IMG-dead-#> for unallocated
inodes).
The next two are for file that is deleted, but the inode that the
directory entry points to is deleted.
Fri Aug 23 2002 16:56:12 11 .a. l/-rw-r--r-- 0 0 34689 /tmp/file1 (deleted-realloc)
11 .a. -/-rw-r--r-- 0 0 34689 /etc/sysconfig/desktop
This can be see because they are both entries for the deleted file
(tmp/file1) and the allocated file (desktop), which have the same
inode (34689). It can also be seen because the deleted entry has
different values for the file type (l and -).
If you are going to include the resulting timeline in a document,
then it maybe better to supply the '-d' argument to output in comma
delimited format. The resulting timeline can then be imported into
a spread sheet and included as a table.
The '-i' option to 'mactime' creates an index summary file, including
how many hits were found per day or hour. Using '-d' with '-i'
allows one to easily import data into a spread sheet that can be
graphed to spot suspicious behavior.
# mactime -b data/body -d -i hour data/tl-hour-sum.txt > data/timeline.txt
TIME SKEW
=======================================================================
The time skew of the system can also be taken into consideration.
Using the '-s' argument to 'fls' and 'ils', the intermediate body
file can have the adjusted times so that the system is consistent
with other servers.
The argument reflects the skew in seconds. If the original system
was 100 seconds slower than NTP or some other 'main' server, then
the argument would be '-s -100'. If it were 145 seconds fast, then
it would be '-s 145'.
AUTOPSY
=======================================================================
The Autopsy Forensic Browser is a graphical interface to The Sleuth
Kit and it can automate the process of creating and viewing a time
line.
http://www.sleuthkit.org/autopsy
-----------------------------------------------------------------------
Copyright (c) 2002-2003 by Brian Carrier. All Rights Reserved
CVS Date: $Date: 2005/01/17 22:40:16 $
|
