Friday, July 16, 2010

Stop, Children, What’s That Sound?

In a previous post, I outed myself as an unrepentant SANS cheerleader.  To expand a bit on that full disclosure, it would be appropriate to point out that I will be acting as Rob Lee’s teacher’s assistant for SEC408 at SANS Network Security 2010 which will be held in Las Vegas from September 20th through the 25th.  I have a passion for teaching and presenting so I’m looking forward to this opportunity.

With that out of the way, I recently completed both SEC408 and SEC508.  I won’t bother with a review of either course because you can guess what I thought of them.  I think the SEC408/508 material is some of the best digital forensics training that I’ve ever run across.   I consider SEC408 and SEC508 to essentially be two parts of the same class.  I would strongly encourage even those who are experienced forensicators to consider taking SEC408 before taking SEC508.  SANS has put together a very nice assessment test for people to determine what courses they would best benefit from.  While it’s entirely possible that someone could already have SEC408 knowledge and not need to take the course before 508, I learned quite a bit from the SEC408 course.

SEC408 provided me with additional knowledge in areas that I already had a pretty decent grasp of such as browser forensics.  It was an excellent class that helped me sharpen my edge in forensic fundamentals.  I consider SEC508 to be a transformational experience where I was given entirely new tools that I have been using with great enthusiasm now that I have them in my arsenal. The tool that I want to blog about today is what Rob Lee accurately calls the Super Timeline.

Making Use of a Super Timeline

I won’t go over how to create a Super Timeline since Rob has already covered that as a high level in on the SANS Forensic Blog. What I’ve been working on recently is how to best make use of the resulting timeline. I have also discovered some interesting artifacts that never occurred to me to consider as part of a timeline.

What I’ve learned is that creating a Super Timeline is only the beginning of timeline analysis.  Because the Super Timeline method captures so many time stamps, it is likely that a Super  Timeline will contain too many entries to manually review line by line especially if an examiner creates a timeline for an entire drive image.  The challenge is to be able to pin down what portions of that timeline are relevant to the examination at hand.

What I recommend is to use more tactical forensic tools to pull out specific dates and times that can then be viewed in greater detail by using the Super Timeline.  A classic forensic examination is one where an examiner is asked to determine whether someone removed information such intellectual property from a computer using methods such as email or a USB device.  The Super Timeline is an invaluable tool for this sort of examination, but you have to know where to look on the timeline to get the data of interest.  Tools that can help an examiner do this are tools such Digital Detective’s Net Analysis and HSTEX, Harlan’s Reg Ripper and keyword searching via spreadsheet programs such as Excel.

I like the Net Analysis and HSTEX combo and I’ve been using both tools for many years.  Craig Wilson was recently awarded a well deserved Forensic 4cast Lifetime Achievement Award.  An examiner can take the latest version of HSTEX and use it to extract web browser history from an image.  If it’s a Windows operating system that is being examined, the Internet Explorer history will be of great interest because the examiner can load the HSTEX results into Net Analysis and then filter on terms like “file” to show just file access entries or terms like “attach” to find evidence where files might be uploaded or downloaded from something such as web based email.  The examiner can then take the date and time information for specific events of interest and refer to the Super Timeline to get a clearer picture of the events that surrounded that point in time.

Harlan has been doing some great work in the area of registry forensic research and tool development. Harlan’s Reg Ripper tool is a one that every examiner should have in their tool box and it’s Harlan’s regtime.pl tool that provides registry date and time data in the creation of a Super Timeline.  For example, using the Reg Ripper tool to determine what types of USB devices have been connected to a system allows the examiner to then search for device specific keywords on the Super Timeline.

Super Timelines are designed to be loaded up into a spreadsheet such as Microsoft Excel.  These spreadsheets can also be used to help an examiner zero in on specific events through keyword searching. Keywords such as the word “USB” can be used to help determine when a USB specific event occurred in the timeline.

One of the added bonuses that I’ve discovered from using Super Timelines is that it’s shown me new artifacts to be aware of during an examination.  For example, while examining a recent Super Timeline I saw the last accessed times being updated .wav files for the sounds that are made when a USB device is inserted or removed.  It occurs to me that this is a valuable thing to keep in mind when trying to determine what a user did on a particular computer.  When a user interacts with an operating system GUI like Windows, certain actions can result in sound files playing and that can result in the last accessed time stamps of those files being updated.

Twitter Update

I have decided to create a separate unprotected Twitter account called @AFoDBlog for the blog which will be dedicated exclusively to alerting readers to new blog posts and to also pass along digital forensic content that I think will be of interest.  It’s intended to be a low traffic volume feed that emphasizes quality over quantity. Since it’s unprotected you can see what you are getting into before following it.

I use my protected @ericjhuber account to Tweet about digital forensics. I also use it to socialize with my fellow digital forensic examiners which might not be something that readers care to read about.  Most people continue to follow that account once they start reading it, but I have noticed that some unfollow it.  I assume it’s because they aren’t necessarily interested in reading Ken Pryor and me swapping patrol stories about being bitten by cop hating dogs.  I, of course, think this is riveting stuff, but I understand others might not see it that way.