Presentation is loading. Please wait.

Presentation is loading. Please wait.

Timeline Analysis Geoff Black, EnCE, SnortCP Senior Forensic Consultant Professional Services Division Guidance Software, Inc.

Published byDonald Payne Modified over 8 years ago

Similar presentations

Presentation on theme: "Timeline Analysis Geoff Black, EnCE, SnortCP Senior Forensic Consultant Professional Services Division Guidance Software, Inc."— Presentation transcript:

1 Timeline Analysis Geoff Black, EnCE, SnortCP Senior Forensic Consultant Professional Services Division Guidance Software, Inc.

2 P A G E 1 Usage Scenarios Intrusion mapping Spyware / Malware file dropping Suspect activity File activity Registry Keys Email times Web history

3 P A G E 2 The Common (And Wrong) Way Many investigators do not conduct proper timeline analysis EnCase does not give the user an easy method to accomplish this Within Table View you can only add secondary sort columns These only sort when the first column has identical data NOT a unified linear timeline

4 P A G E 3 The Built-in Alternative Timeline View gives a decent overview, but cumbersome - not at all user-friendly

5 P A G E 4 Proper Method : Unified Linear Timeline Considers each date field individually Not locked into sorting a single field Does not base a second sort on the value of the first field Completely linear across all date fields End result is that an entry can be listed multiple times in the timeline, once for each date field

6 P A G E 5 Hands-On Lab Check your Time Settings Lab Machine TZ Evidence TZ Locate an interesting event Select a date/time range around the event Run Timeline Report EnScript & examine results Use Selected Files to narrow your search if necessary

7 P A G E 6 Timeline Report Download http://www.geoffblack.com/forensics/

8 P A G E 7 Detecting Timestamp Anomalies MFT stores two sets of dates Standard Information Attribute (EnCase, Windows) File Name Attribute Anti-forensics tools modify timestamps TimeStomp / FileTouch / FileTouchdotNET Popular theories for detection MFT Entry Header Standard Information Attribute File Name Attribute Remainder of Record MFT Entry Record Structure

9 P A G E 8 Detecting Timestamp Anomalies Popular Theory: TimeStomp uses low precision timestamping Problem: So does just about every major installation routine

10 P A G E 9 Detecting Timestamp Anomalies Popular Theory: The FileName Attribute times will always be earlier than the Standard Information Attribute times in a normal timestamp Problem: On standard well-used drives, expect up to 50% of entries where the FN timestamp is more recent than the SIA timestamp without any manual alterations

11 P A G E 10 Detecting Timestamp Anomalies Detection is not reliable through attribute comparison or timestamp precision The only currently reliable method is to identify a known tool on the system

12 P A G E 11 Virtual Private Computing - MojoPac

13 Timeline Analysis Geoff Black, EnCE, SnortCP Senior Forensic Consultant Professional Services Division Guidance Software, Inc.

Download ppt "Timeline Analysis Geoff Black, EnCE, SnortCP Senior Forensic Consultant Professional Services Division Guidance Software, Inc."

Similar presentations

Internet Safety Topic 2 Malware This presentation by Tim Fraser Malware is short for malicious software VirusesViruses SpywareSpyware AdwareAdware other.

Internet Safety Topic 2 Malware This presentation by Tim Fraser Malware is short for malicious software VirusesViruses SpywareSpyware AdwareAdware other.
2 © 2004, Cisco Systems, Inc. All rights reserved. IT Essentials I v. 3 Module 4 Operating System Fundamentals.

2 © 2004, Cisco Systems, Inc. All rights reserved. IT Essentials I v. 3 Module 4 Operating System Fundamentals.
Wincite Introduces Knowledge Notebooks A new approach to collecting, organizing and distributing internal and external information sources and analysis.

Wincite Introduces Knowledge Notebooks A new approach to collecting, organizing and distributing internal and external information sources and analysis.
Albrecht, Albrecht, Albrecht, Zimbelman © 2011 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except.

Albrecht, Albrecht, Albrecht, Zimbelman © 2011 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except.
Effective Discovery Techniques In Computer Crime Cases.

Effective Discovery Techniques In Computer Crime Cases.
Computer Forensic Tools. Computer Forensics: A Brief Overview Scientific process of preserving, identifying, extracting, documenting, and interpreting.

Computer Forensic Tools. Computer Forensics: A Brief Overview Scientific process of preserving, identifying, extracting, documenting, and interpreting.
BACS 371 Computer Forensics

BACS 371 Computer Forensics
Mod H-1 Examples of Computer Crimes. Mod H-2 Stuxnet.

Mod H-1 Examples of Computer Crimes. Mod H-2 Stuxnet.
Access 2007 Product Review. With its improved interface and interactive design capabilities that do not require deep database knowledge, Microsoft Office.

Access 2007 Product Review. With its improved interface and interactive design capabilities that do not require deep database knowledge, Microsoft Office.
Lesson 14-Desktop Protection. Overview Protect against malicious code. Use the Internet. Protect against physical tampering.

Lesson 14-Desktop Protection. Overview Protect against malicious code. Use the Internet. Protect against physical tampering.
Network Security. Network security starts from authenticating any user. Once authenticated, firewall enforces access policies such as what services are.

Network Security. Network security starts from authenticating any user. Once authenticated, firewall enforces access policies such as what services are.
Concepts of Database Management Sixth Edition

Concepts of Database Management Sixth Edition
Source Code Management Or Configuration Management: How I learned to Stop Worrying and Hate My Co-workers Less.

Source Code Management Or Configuration Management: How I learned to Stop Worrying and Hate My Co-workers Less.
Maintaining and Updating Windows Server 2008

Maintaining and Updating Windows Server 2008
Encase Overview. What is Encase EnCase Forensic is the industry standard in computer forensic investigation technology. Encase is a single tool, capable.

Encase Overview. What is Encase EnCase Forensic is the industry standard in computer forensic investigation technology. Encase is a single tool, capable.
Distributing Drivers on Windows Update

Distributing Drivers on Windows Update
Security Guidelines and Management

Security Guidelines and Management
Presented by INTRUSION DETECTION SYSYTEM. CONTENT Basically this presentation contains, What is TripWire? How does TripWire work? Where is TripWire used?

Presented by INTRUSION DETECTION SYSYTEM. CONTENT Basically this presentation contains, What is TripWire? How does TripWire work? Where is TripWire used?
Students: Nadia Goshmir, Yulia Koretsky Supervisor: Shai Rozenrauch Industrial Project 234313 Advanced Tool for Automatic Testing Final Presentation.

Students: Nadia Goshmir, Yulia Koretsky Supervisor: Shai Rozenrauch Industrial Project Advanced Tool for Automatic Testing Final Presentation.
242/102/49 0/51/59 181/172/166 Primary colors 248/152/29 PMS 172 PMS 137 PMS 546 PMS 407 251/206/146 202/227/233 141/129/123 Secondary colors 114/181/204.

242/102/49 0/51/59 181/172/166 Primary colors 248/152/29 PMS 172 PMS 137 PMS 546 PMS /206/ /227/ /129/123 Secondary colors 114/181/204.

Similar presentations

Ads by Google