For the second time I had the opportunity to sit through a session taught by Rob Lee. If you have not had the chance to learn from Rob or hear him speak you are missing out. The crowds seem to follow Rob and this session was no different. Within minutes the largest session room at the conference was full and people were sitting in the back of the room.
Rob started off by talking about what forensic investigators needs to accomplish before they can be proficient in advanced time line analysis. For the second day in a row I give my quote of the day to Rob. He used the phrase “conversational forensics”. I knew exactly what he meant by that phrase before he defined it. “Conversational Forensics” means you have the ability to talk shop with someone else in this industry with ease and fluently. If you were to start talking about a case you were having issues with, would you be able to explain where you have looked within the case and have a conversation about specific prefetch files, .lnk files, or user assist files? Until you can freely converse with forensic terms, with the ability to walk or talk through a specific case, you would not have the skill set of “conversational forensics”. This tidbit is neither here nor there, but it gives you an idea of how much knowledge you really do need to perform advanced time line analysis.
To be successful with advanced time line analysis Rob believes you need to be proficient in three areas:
file system data
When you are dealing with logs from a system or server it can feel overwhelming when you pull it up for the first time. If you have seen 2-5GB log file you know what I mean. Trying to find time stamps and files involved with your investigation is like trying to find 2-5 specific grains of sand on a beach. Since there is a vast amount of data to be sorted through it is a good idea to find a “pivot point”. This pivot point could be a point in time or event, but it will give you somewhere to start. Examples of a pivot points maybe:
Time of an incident
Network activity (specific packets leaving)
Process Activity aka Memory Analysis
Name of a File – ex: topsecret.pdf
Type of File lost or accessed
Activity – USB keys, downloads, or file wiping
With regards to file wiping, food for thought here, How do you wipe the WIPER? I ask this because Rob explained very well that anti forensics will always exist, but they cover all of there tracks. Even the most advanced adversaries can’t hide everything perfectly.
Once you have your “Pivot Point” there are several steps you can follow to make your job easier. First you need to determine the scope of your investigation, narrow your pivot points, determine best practice, filter your timeline, and finally analyze the time line. If you don’t have a time line analysis tool Rob suggested log2timeline. Just google it and you’ll find it. As a teaser he also mentioned that the new SIFT workstation may have these tools sometime soon.
Once you feel you have found your data you need to prove, or show, 4 things. The date of involvement, artifact involved, the action of the artifact, and the source of the data artifact. This will ensure that you can explain where, what, and how this happened.
If you were looking for a breach where top secret files were loaded onto a USB drive by a current employee you can obtain certain information to start your analysis. When was this first seen and how does that line up with this users login stamps? You can than boil this down more by finding user assist entries (executable) along with USB keys. When you can determine a time where a USB was inserted and logged to the system you can look for LNK entries that show your specific files being opened.
By no means is this blog going to provide as much detail as Rob did, but it gives you an idea of the complexity of timeline analysis and the knowledge it takes to think outside the box and find that single grain of sand for your investigation.
Computer/ Mobile Forensic Examiner