Security Ripcord

Being able to utilize multiple tools is key for any digital forensic and incident response analyst.  However, moving back and forth between different operating systems or starting and stopping memory intensive tools can have an impact on quickly exporting critical information from a system.  The FLS utility provided in the Sleuth Kit tools produces an excellent bodyfile and is, in my mind, the default standard for generating timeline information.  However, if you are working in EnCase, it would be nice to have a method to quickly output a bodyfile text file that can be quickly integrated with other timeline information for a more in-depth and detailed analysis.

After a bit of trial and error working with EnScripts I decided to contact Lance Mueller to get over a few EnScript hurdles.  Lance quickly updated my initial code and helped me understand how to gather file information and output the information to a text file.   After a few more tweaks I now have a working BodyFile EnScript.  The only real difference between the bodyfile generated by this EnScript and the FLS bodyfile is that the EnScript file times are provided in a human-readable format whereas FLS outputs in Epoch time and needs to be converted prior to evaluation.

Although this was very useful when generating timelines from multiple sources, I often found myself modifying the bodyfile to match the Timeline (TLN) format outlined by Harlan Carvey from his blog post:  Timline Analysis, pt III.

Time - MS systems use 64-bit FILETIME objects in many cases; however, for the purposes of normalization, 32-bit Unix epoch times will work just fine

Source - fixed-length field for the source of the data (i.e., file system, Registry, EVT/EVTX file, AV or application log file, etc.) and may require a key or legend. For graphical representation, each source can be associated with a color.

Host - The host system, defined by IP or MAC address, NetBIOS or DNS name, etc. (may also require a key or legend)

User - User, defined by user name, SID, email address, IM screenname, etc. (may also require a key or legend)

Description - The description of what happened; this is where context comes in…

I have to admit that I don’t always follow this format to the letter for one reason or another.  I often use the last two fields as open fields for specific information about the artifact that I am documenting.  Where I can I provide “User” information, but remembering to be flexible allows me to include valuable information, although, it would also be just as easy to tack it on the end as well.

After a few times of converting the EnScript bodyfile to TLN format I decided it was just better to have an EnScript that output into TLN format.  Thus I now have the TLNFile EnScript which can easily be integrated with other TLN formatted files to create excellent timelines.

Go forth and do good things,

Don C. Weber

This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 3.0 Unported.

You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.