Timeline Analysis

Geoff Black, EnCE, SnortCPSenior Forensic ConsultantProfessional Services DivisionGuidance Software, Inc.

P A G E 2

Usage Scenarios

Intrusion mapping

Spyware / Malware file dropping

Suspect activity

File activity

Registry Keys

Email times

Web history

P A G E 3

The Common (And Wrong) Way

Many investigators do not conduct proper timeline analysis

EnCase does not give the user an easy method to accomplish this

Within Table View you can only add secondary sort columns

These only sort when the first column has identical data

NOT a unified linear timeline

P A G E 4

The Built-in Alternative

Timeline View gives a decent overview, but cumbersome - not at all user-friendly

P A G E 5

Proper Method : Unified Linear Timeline

Considers each date field individually

Not locked into sorting a single field

Does not base a second sort on the value of the first field

Completely linear across all date fields

End result is that an entry can be listed multiple times in the timeline, once for each date field

P A G E 6

Hands-On Lab

Check your Time Settings

Lab Machine TZ

Evidence TZ

Locate an interesting event

Select a date/time range around the event

Run Timeline Report EnScript & examine results

Use Selected Files to narrow your search if necessary

P A G E 7

Timeline Report Download

http://www.geoffblack.com/forensics/

P A G E 8

Detecting Timestamp Anomalies

MFT stores two sets of dates

Standard Information Attribute (EnCase, Windows)

File Name Attribute

Anti-forensics tools modify timestamps

TimeStomp / FileTouch / FileTouchdotNET

Popular theories for detection

MFT Entry HeaderStandard Information

AttributeFile NameAttribute

Remainder ofRecord

MFT Entry Record Structure

P A G E 9

Detecting Timestamp Anomalies

Popular Theory: TimeStomp uses low precision timestamping

Problem: So does just about every major installation routine

P A G E 10

Detecting Timestamp Anomalies

Popular Theory: The FileName Attribute times will always be earlier than the Standard Information Attribute times in a normal timestamp

Problem: On standard well-used drives, expect up to 50% of entries where the FN timestamp is more recent than the SIA timestamp without any manual alterations

P A G E 11

Detecting Timestamp Anomalies

Detection is not reliable through attribute comparison or timestamp precision

The only currently reliable method is to identify a known tool on the system

P A G E 12

Virtual Private Computing - MojoPac

Timeline Analysis

Geoff Black, EnCE, SnortCPSenior Forensic ConsultantProfessional Services DivisionGuidance Software, Inc.