Security Ripcord

System Combo Timeline Released

November 30th, 2009 cutaway Posted in Incident Response, Security | 3 Comments » 881 views

Tired of doing a lot of work by hand I have started a project to quickly generate a timeline file from system artifacts recovered from systems running a Windows operating system.  The goal is to quickly generate information that can be used to determine actionable intelligence during an incident response.  System Combo Timeline is a set of scripts that will internally generate or use external tools (thank you, Harlan) to generate TLN-based timeline files from specific system artifacts.  These files are combined into one TLN-based file with can be reviewed with the hope of understanding some of the actions that occurred on the system.  Information taken from this TLN combo file can be used to direct the rest of the analysis or even provide information to help guide future incident response activities.

Hopefully you find this tool useful. There is still a lot of work to do to pull in additional capabilities and make the tool more flexible.  As always feedback and requests for features are always welcome.  Leave a comment and let everyone know what you think about the tool.

Go forth and do good things,

Don C. Weber


Help support my training and travel to security conferences. Get your SANS Training and GIAC Certifications through the Security Ripcord.
Creative Commons Attribution-NonCommercial-ShareAlike 3.0 Unported
This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 3.0 Unported.

You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

3 Responses to “System Combo Timeline Released”

  1. Andrew Hay » Blog Archive » links for 2009-12-01 Says:
    December 1st, 2009 at 8:04 pm

    [...] Security Ripcord » Blog Archive » System Combo Timeline Released (tags: timeline forensics tool) Posted in Suggested Blog Reading | var idcomments_acct='90b2fde2bc0dbc10822f063f54ad16cc'; var idcomments_post_id='1180'; var idcomments_post_time='2009-12-01 20:04:27'; var idcomments_post_author='Andrew Hay'; var idcomments_post_title='links+for+2009-12-01'; var idcomments_post_url='http://www.andrewhay.ca/archives/1180'; var commentScriptWrapper = document.createElement("SCRIPT"); commentScriptWrapper.type = "text/javascript"; commentScriptWrapper.src = "http://www.intensedebate.com/js/wordpressTemplateCommentWrapper2.php?acct="+idcomments_acct+"&postid="+idcomments_post_id+"&title="+escape(idcomments_post_title)+"&url="+idcomments_post_url+"&posttime="+idcomments_post_time+"&postauthor="+idcomments_post_author; document.getElementsByTagName("HEAD")[0].appendChild(commentScriptWrapper); [...]

  2. E Gifford Says:
    December 4th, 2009 at 12:42 am

    I’m getting this error:
    $ python syscombotln.py IS080
    Traceback (most recent call last):
    File “syscombotln.py”, line 156, in
    EVTP = sb.Popen(evt_cmd, stdout = sb.PIPE, stderr = sb.PIPE).communicate()
    File “/usr/lib/python2.5/subprocess.py”, line 594, in __init__
    errread, errwrite)
    File “/usr/lib/python2.5/subprocess.py”, line 1091, in _execute_child
    raise child_exception
    OSError: [Errno 2] No such file or directory

  3. cutaway Says:
    December 4th, 2009 at 5:30 am

    @Eric,

    It looks like you are using the same version of Python so I don’t think that “subprocess” is a problem. I haven’t experienced this problem with other users so far.

    Perhaps there is a parse error being produced by evtparse.pl and the subprocess’ STDERR is not handling it properly. Have you tried running evtparse.pl against your EVT file to see if you get errors? Harlan’s EVT scripts usually handle “corrupted” EVT files very well, but there may be some other issue. If you post any error output from evtparse.pl it might help.

    Thank you,
    Don C. Weber

Leave a Reply

« Bodyfile and Timeline EnScripts
Syscombotln and Tools Update »