I just have to do a post about a benefit of using log2timeline, because this is entirely too cool.
On a recent investigation, one system had a Seagate FreeAgent Go (USB HD) attached at some point, and this showed up in USB history (from Woanware USB Device Forensics and RegRipper). However, I could not associate it with the user profile through MountPoints2 (MP2) because the USBSTOR didn't contain the Parent Prefix ID Prefix (PPID) for this device. The PPID is used in MountedDevices to identify the drive letter association and GUID; the GUID is then used in MP2 to identify the user (without the GUID you get nothing). Basically all I had was the Vendor, Product, and Version from USBSTOR, along with the connection date from DeviceClasses. As a side note, Enum\USB also did not provide the Volume ID (VID) or Product ID (PID).
At first I wasn't sure why the parsed MP2 didn't show the user association, so I went through the manual process (as detailed by SANS, Harlan Carvey, etc). This revealed what I've noted above regarding the PPID. Even though I did not necessarily need to, I also went through the setupapi.log just to confirm install date, and work the steps, as it were.
To quickly find the device in setupapi, I searched the file for "FreeAgent" using Notepad++. By clicking the "Find All in Current Document" button (as opposed to "Find Next"), I saw that there were hits in very different locations within the file. Looking more closely at these entries, I discovered that there had in fact been two Seagate FreeAgent Go drives attached to the system, more than a month apart. Well, well, well. The serial number for the second one (as logged in setupapi, which also showed the VID and PID) did show up in RegRipper's output for USBSTOR and DeviceClasses, but again that wasn't everything.
I must note at this point that until I started going through manually I hadn't spent a lot of time on RR's output, having focused on Woanware with its nicely organized text file and spreadsheet for ease of use as I had a lot of systems and not a lot of time. I had confirmed the first drive's existence, but hadn't looked to see if there were more like it. Good reminder to cross-check results, even though it may take significantly more time, depending on the amount of relevant data...
Anyway, all that said, here's the cool part with l2t. I loaded up my timeline (created by l2t's CSV output module) in Excel and went to the date/time of the initial setupapi.log entry. Sure enough, there were the install entries, just like expected. And immediately following the installation activity came the MountPoints2 key entry parsed from System Restore Point RPxxx, showing the user association. This was true for both drives in question. In addition, these historic MP2 entries showed the GUID, to help round out the analysis. Aaah, the sweet smell of forensication in the morning... ;-).
Call me a fanboy if you must, but I do like log2timeline. Thanks, Kristinn!
LM
Tips, tricks, problems, solutions, testing, and other 'cool' things from my forensic journey...
Thursday, April 28, 2011
Wednesday, April 20, 2011
Date-Range Specific Timelines
In the prior posts I built a timeline with the new mactime- and csv-format options in log2timeline, I used my bodyfile as input and exported to a nice csv that includes more l2t-related data (as opposed to standard mactime-generated csv). This is nice, but l2t generates one line per timestamp type and gives us a whole lot of rows. Turns out my main timeline was just too much data to be able to load in Excel or Access. Even with 64-bit Win7 and 16 GB of RAM on a Quad-Core processor. Apparently 1.2M rows is just insane. Meh.
I tried to get Kristinn to do things differently, but he just wouldn't see it "my" way. ;) However, in true form, he was extremely helpful. We walked through using grep against an l2t-generated csv to get out some specific sub-ranges that I needed to focus on, like:
This will split out all rows containing data originating (any timestamp type) from February through May of 2009.
Lo and behold! Kristinn also went and created a new module in the nightly build and asked me to help test it. It would automate the process, so you can feed in a date range (kind of like with mactime) and it will pull those dates out of an l2t-generated csv file. Way cool! And so the testing began.
Fortunately by that time I knew my test-set inside and out, so that was helpful in providing him statistics to help track down a few items. In the end, the process was ironed out and works very nicely. I'm not here to post all the specifics, as I know he plans to include it in the next release, and blog about it as well, so I'm leaving that to him. It's his baby, after all. I'm just trying to raise more awareness of this awesome utility, a cool developer, and get more traffic on his sites. Every time I've had a question or problem/concern, Kristinn has been extremely responsive and helpful. Twice now he's written new modules just because I asked if it could be done. Incredible!
I don't think he'll mind me saying that if you're using the nightly build, look for l2t_process; it even has its own man page.
Happy timelining!
LM
I tried to get Kristinn to do things differently, but he just wouldn't see it "my" way. ;) However, in true form, he was extremely helpful. We walked through using grep against an l2t-generated csv to get out some specific sub-ranges that I needed to focus on, like:
head -1 csv.001 > dates.001
grep “^0[2-5]\/[0-3][0-9]\/2009,” csv.001 >> dates.001
This will split out all rows containing data originating (any timestamp type) from February through May of 2009.
Lo and behold! Kristinn also went and created a new module in the nightly build and asked me to help test it. It would automate the process, so you can feed in a date range (kind of like with mactime) and it will pull those dates out of an l2t-generated csv file. Way cool! And so the testing began.
Fortunately by that time I knew my test-set inside and out, so that was helpful in providing him statistics to help track down a few items. In the end, the process was ironed out and works very nicely. I'm not here to post all the specifics, as I know he plans to include it in the next release, and blog about it as well, so I'm leaving that to him. It's his baby, after all. I'm just trying to raise more awareness of this awesome utility, a cool developer, and get more traffic on his sites. Every time I've had a question or problem/concern, Kristinn has been extremely responsive and helpful. Twice now he's written new modules just because I asked if it could be done. Incredible!
I don't think he'll mind me saying that if you're using the nightly build, look for l2t_process; it even has its own man page.
Happy timelining!
LM
Labels:
grep,
Kristinn Gudjonsson,
l2t,
l2t_process,
log2timeline,
timeline
Subscribe to:
Posts (Atom)