Download presentation
Presentation is loading. Please wait.
Published byDonald Payne Modified over 8 years ago
1
Timeline Analysis Geoff Black, EnCE, SnortCP Senior Forensic Consultant Professional Services Division Guidance Software, Inc.
2
P A G E 1 Usage Scenarios Intrusion mapping Spyware / Malware file dropping Suspect activity File activity Registry Keys Email times Web history
3
P A G E 2 The Common (And Wrong) Way Many investigators do not conduct proper timeline analysis EnCase does not give the user an easy method to accomplish this Within Table View you can only add secondary sort columns These only sort when the first column has identical data NOT a unified linear timeline
4
P A G E 3 The Built-in Alternative Timeline View gives a decent overview, but cumbersome - not at all user-friendly
5
P A G E 4 Proper Method : Unified Linear Timeline Considers each date field individually Not locked into sorting a single field Does not base a second sort on the value of the first field Completely linear across all date fields End result is that an entry can be listed multiple times in the timeline, once for each date field
6
P A G E 5 Hands-On Lab Check your Time Settings Lab Machine TZ Evidence TZ Locate an interesting event Select a date/time range around the event Run Timeline Report EnScript & examine results Use Selected Files to narrow your search if necessary
7
P A G E 6 Timeline Report Download http://www.geoffblack.com/forensics/
8
P A G E 7 Detecting Timestamp Anomalies MFT stores two sets of dates Standard Information Attribute (EnCase, Windows) File Name Attribute Anti-forensics tools modify timestamps TimeStomp / FileTouch / FileTouchdotNET Popular theories for detection MFT Entry Header Standard Information Attribute File Name Attribute Remainder of Record MFT Entry Record Structure
9
P A G E 8 Detecting Timestamp Anomalies Popular Theory: TimeStomp uses low precision timestamping Problem: So does just about every major installation routine
10
P A G E 9 Detecting Timestamp Anomalies Popular Theory: The FileName Attribute times will always be earlier than the Standard Information Attribute times in a normal timestamp Problem: On standard well-used drives, expect up to 50% of entries where the FN timestamp is more recent than the SIA timestamp without any manual alterations
11
P A G E 10 Detecting Timestamp Anomalies Detection is not reliable through attribute comparison or timestamp precision The only currently reliable method is to identify a known tool on the system
12
P A G E 11 Virtual Private Computing - MojoPac
13
Timeline Analysis Geoff Black, EnCE, SnortCP Senior Forensic Consultant Professional Services Division Guidance Software, Inc.
Similar presentations
© 2024 SlidePlayer.com Inc.
All rights reserved.