System Combo Timeline was developed to help with the quick generation of timeline information from a Windows system. This tool is currently in the development stages but is ready for active use during an incident response engagement. The tool is a python script that provides internal functionality and external communications with tools that perform parsing of specific Windows system artifacts to produce a TLN-based text file. The resulting file can be reviewed using your favorite text editor or, as I prefer, Mandiant’s Highlighter. Recommendations and functionality requests are welcome.
NOTE: This script was developed in a Windows XP environment. The file/directory paths used as well as some of the external tools require the tool to be run in a Windows environment.
Download: syscombotln.zip – 1/31/2010 SHA1 – 7DDCC030E6D7EB4E2721777C6E9E2ACF3647224A
Usage: syscombotln.py [system name]
Notes: System Combo Timeline will parse specific files placed in specific folders and generate timeline files from these files. These timelines are generated from code within this script or by running timeline tools that generate timeline output.
- Windows Event Logs should be placed in the input_files\Event directory.
- Windows Registry Hives should be placed in the input_files\Registry directory.
- Windows Scheduled Task Logs should be placed in the input_files\ScheduledTasks directory. User will be prompted for the time difference to adjust time information to UTC.
- File timelines in TSK bodyfile or FTK Directory Listing format should be placed in the input_files\FileDirs directory
- Timeline files that have already been converted to timeline format externally can be placed in the output directory and will automatically be added to the combined timeline (i.e. output files generated from TLN.enscript).
File Structure: Use the following file structure for input and output files.
syscombotln – primary directory
|__input_files – should only contain directories
| |__Event – Windows Event Log storage
| |__FileDirs – Timeline files in Sluethkit Bodyfile or
| | FTK DirList format format
| |__Registry – Windows Registry files storage
| |__ScheduledTasks – Windows Scheduled Task Logs
| |__SetupAPI – Windows XP Device, Service Pack, and Hotfix Installation Logs
|__output – output location for individual and combined TLN files.
| TLN-based files generated by other means can be placed here
| as well for processing with the generated TLN files.
|__scripts – will contain programs and scripts to process files
| |__plugins – RegRipper plugins
Todo:
- Make Modular so that others can write plugins to add new functionality
- Convert all external tool functionality to process internally
- Requested Modules
- Internet Explorer History – maybe using Mandiant’s Web Historian? Also, this can be accomplished by mounting DAT files in EnCase before creating TLN
- TELL ME, SHOW ME, FEED ME
Tools: The following external tools are used by System Combo Timeline.
- rip.pl – RegRipper with the regtln plugin. – Included with the permission of Harlan Carvey
- evtparse.pl – Parse any Windows Event Log file and output in timeline format – Included with the permission of Harlan Carvey
Other Resources:
- EnCase EnScripts – Lance Mueller ForensicKB
- Mandiant Highlighter – Jason Luttgens
- Log2Timeline – Kristinn Gudjonsson – Check it out as this might work better for you.
- Mandiant Web Historian