Sleuth Kit is a collection of command line tools that allows you to analyze disk images.
The well-known open source memory forensics framework for incident response and malware analysis.
A tool designed to extract timestamps from various files found on a typical computer system(s) and aggregate them.
The traditional timeline analysis is generated using data extracted from the filesystem, enriched with information gathered by volatile memory analisys.
The data are parsed and sorted in order to be analyzed: the end goal is to generate a snapshot of the activity done in the system including its date, the artifact involved, action and source.
Here the steps, starting from a E01 dump and a volatile memory dump:
fls -r -m Evidence1.E01 > Evidence1-bodyfile
vol.py -f Evidence1-memoryraw.001 --profile=Win7SP1x86 timeliner --output=body --outputfile=Evidence1-timeliner.body
cat Evidence1-timeliner.body >> Evidence1-bodyfile
mactime -d -b Evidence1-bodyfile 2012-04-02..2012-04-07 > Evidence1-mactime-timeline.csv
grep -v -i -f Evidence1-mactime-timeline.csv > Evidence1-mactime-timeline-final.csv
The super timeline goes beyond the traditional file system timeline creation based on metadata extracted from acquired images by extending it with more sources, including more artifacts that provide valuable information to the investigation.
Three simple steps starting from a E01 dump:
log2timeline.py plaso.dump Evidence1.E01
psort.py -z "UCT" -o L2tcsv plaso.dump "date > '2012-04-03 00:00:00' AND date < '2012-04-07 00:00:00'" -w plaso.csv
grep -v -i -f whitelist.txt plaso.csv > supertimeline.csv
In the next article i will propose my method for timeline analysis.