[Archive of Volatility Labs]: MoVP II - 2.3 - Creating Timelines with Volatility

A common computer forensic investigative methodology is creating timelines. Timelines help establish events that took place on the machine prior to investigation. There are various artifacts in Windows memory that can be used to construct a timeline. This blogpost will cover timeline creation and usage.

Creating a Timeline

The following plugins have the ability to output in Sleuthkit bodyfile format:

The output of these plugins can be combined in order to create a timeline of memory artifacts. Two of these plugins (mftparser and shellbags) are more specific in their output and only include artifacts that are described by their names. The third plugin, timeliner, includes various artifacts such as:

Processes
Sockets
Eventlogs (XP/2003 only)
PE Timestamps (modules/DLLs/Processes)
UserAssist
ShimCache
Registry LastWrite Timestamps (optional)

In order to create a timeline using all of the above plugins, use the following commands:

$ ./vol.py --plugins=contrib/plugins -f [sample] timeliner --output=body --output-file=timeliner.txt -R

$ ./vol.py -f [sample] mftparser -C --output=body --output-file=mft.txt
$ ./vol.py -f [sample] shellbags --output=body --output-file=shellbags.txt

Then you can put it all together:

$ cat timeliner.txt mft.txt shellbags.txt >> bodyfile.txt
$ mactime -b bodyfile.txt -d > mactime.txt

Analyzing an Example Timeline

We'll look at a generated timeline from a sample that was obtained from the Forensic Challenge for the GRRCon conference (http://t.co/m0JCvrnV) by Jack Crook (twitter: @jackcr website: http://www.handlerdiaries.com/).

There is also a previous writeup on our blog: http://volatility-labs.blogspot.com/2012/10/solving-grrcon-network-forensics.html by MHL and Andrew.

We are able to find the exploit file from the timeline:

$ grep -i ".pf" grrcon_mft |egrep -i '(doc|ppt|xls|pdf)' | grep -i exe

(FN) 0x14c42000|[MFT FILE_NAME] WINDOWS\Prefetch\SWING-MECHANICS.DOC[1].EXE-013CEA10.pf|12024|---a-------I---|0|0|512|1335578362|1335578362|1335578362|1335578362

Now we can search for events near when the exploit happened:

$ mactime -b grrcon_body.txt –d | less –I

To search in the document type:

/swing

Now we should see:

Fri Apr 27 2012 21:59:22,512,macb,---a-------I---,0,0,12024,[MFT FILE_NAME] WINDOWS\Prefetch\SWING-MECHANICS.DOC[1].EXE-013CEA10.pf

Fri Apr 27 2012 21:59:22,512,macb,---a-------I---,0,0,12024,[MFT FILE_NAME] WINDOWS\Prefetch\SWING-~1.PF

Fri Apr 27 2012 21:59:22,512,macb,---a-------I---,0,0,12024,[MFT STD_INFO] WINDOWS\Prefetch\SWING-~1.PF

Fri Apr 27 2012 21:59:22,352,macb,---a-----------,0,0,12026,[MFT FILE_NAME] WINDOWS\system32\svchosts.exe

Fri Apr 27 2012 21:59:22,352,m..b,---a-----------,0,0,12026,[MFT STD_INFO] WINDOWS\system32\svchosts.exe

Fri Apr 27 2012 21:59:22,344,.a..,---a-----------,0,0,23251,[MFT STD_INFO] WINDOWS\system32\msvfw32.dll

Fri Apr 27 2012 21:59:22,352,.a..,---a-----------,0,0,479,[MFT STD_INFO] WINDOWS\system32\avicap32.dll

Scrolling down we see someone trying to figure out the network:

Fri Apr 27 2012 21:59:49,488,mac.,---a-------I---,0,0,11854,[MFT STD_INFO] WINDOWS\Prefetch\IPCONF~1.PF

Fri Apr 27 2012 21:59:49,360,.a..,---a-----------,0,0,23434,[MFT STD_INFO] WINDOWS\system32\ipconfig.exe

Fri Apr 27 2012 21:59:56,472,macb,---a-------I---,0,0,12018,[MFT FILE_NAME] WINDOWS\Prefetch\NET.EXE-01A53C2F.pf

Fri Apr 27 2012 21:59:56,472,macb,---a-------I---,0,0,12018,[MFT FILE_NAME] WINDOWS\Prefetch\NETEXE~1.PF

Fri Apr 27 2012 21:59:56,472,macb,---a-------I---,0,0,12018,[MFT STD_INFO] WINDOWS\Prefetch\NETEXE~1.PF

Fri Apr 27 2012 21:59:56,344,.a..,---a-----------,0,0,23222,[MFT STD_INFO] WINDOWS\system32\net.exe

Fri Apr 27 2012 22:00:06,344,.a..,---a-----------,0,0,23131,[MFT STD_INFO] WINDOWS\system32\ping.exe

And a bit below that we see the creation of a folder called “systems” and then some new files:

Fri Apr 27 2012 22:01:03,472,macb,-------------D-,0,0,12029,[MFT FILE_NAME] WINDOWS\system32\systems

Fri Apr 27 2012 22:01:03,472,...b,---------------,0,0,12029,[MFT STD_INFO] WINDOWS\system32\systems

Fri Apr 27 2012 22:01:03,832,m.c.,---------------,0,0,29,[MFT STD_INFO] WINDOWS\system32

Fri Apr 27 2012 22:01:07,832,.a..,---------------,0,0,29,[MFT STD_INFO] WINDOWS\system32

Fri Apr 27 2012 22:01:43,416,macb,---a-----------,0,0,12030,[MFT FILE_NAME] WINDOWS\system32\systems\f.txt

Fri Apr 27 2012 22:01:43,416,macb,---a-----------,0,0,12030,[MFT STD_INFO] WINDOWS\system32\systems\f.txt

Fri Apr 27 2012 22:01:54,368,macb,---a-----------,0,0,12031,[MFT FILE_NAME] WINDOWS\system32\systems\g.exe

Fri Apr 27 2012 22:01:54,368,m.cb,---a-----------,0,0,12031,[MFT STD_INFO] WINDOWS\system32\systems\g.exe

Fri Apr 27 2012 22:02:05,368,macb,---a-----------,0,0,12032,[MFT FILE_NAME] WINDOWS\system32\systems\p.exe

Fri Apr 27 2012 22:02:05,368,...b,---a-----------,0,0,12032,[MFT STD_INFO] WINDOWS\system32\systems\p.exe

Fri Apr 27 2012 22:02:06,368,m...,---a-----------,0,0,12032,[MFT STD_INFO] WINDOWS\system32\systems\p.exe

Fri Apr 27 2012 22:02:17,368,macb,---a-----------,0,0,12033,[MFT FILE_NAME] WINDOWS\system32\systems\r.exe

Fri Apr 27 2012 22:02:17,368,m.cb,---a-----------,0,0,12033,[MFT STD_INFO] WINDOWS\system32\systems\r.exe

We can use this to `grep` for files in the “systems” folder:

$ grep -i systems grrcon_body.txt | grep -i exe | awk '{print $4}'

WINDOWS\system32\systems\w.exe|11978|---a-----------|0|0|360|1335578558|1335578558|1335578558|1335578558

WINDOWS\system32\systems\w.exe|11978|---a-----------|0|0|360|1335578559|1335578559|1335578559|1335578558

WINDOWS\system32\systems\g.exe|12031|---a-----------|0|0|368|1335578514|1335578514|1335578514|1335578514

WINDOWS\system32\systems\g.exe|12031|---a-----------|0|0|368|1335579014|1335578514|1335578514|1335578514

WINDOWS\system32\systems\p.exe|12032|---a-----------|0|0|368|1335578525|1335578525|1335578525|1335578525

WINDOWS\system32\systems\p.exe|12032|---a-----------|0|0|368|1335579196|1335578526|1335578698|1335578525

WINDOWS\system32\systems\r.exe|12033|---a-----------|0|0|368|1335578537|1335578537|1335578537|1335578537

WINDOWS\system32\systems\r.exe|12033|---a-----------|0|0|368|1335578939|1335578537|1335578537|1335578537

WINDOWS\system32\systems\sysmon.exe|12034|---a-----------|0|0|344|1335578546|1335578546|1335578546|1335578546

WINDOWS\system32\systems\sysmon.exe|12034|---a-----------|0|0|344|1335579140|1335578547|1335578547|1335578546

[snip]

We have prefetch files that show that some of these executables ran and we know what time they ran from the timestamps associated with them:

Fri Apr 27 2012 22:03:03 472 macb ---a-------I--- 0 0 12035 [MFT FILE_NAME] WINDOWS\Prefetch\W.EXE-0A1E603F.pf

472 macb ---a-------I--- 0 0 12035 [MFT FILE_NAME] WINDOWS\Prefetch\WEXE-0~1.PF

472 ...b ---a-------I--- 0 0 12035 [MFT STD_INFO] WINDOWS\Prefetch\WEXE-0~1.PF

Fri Apr 27 2012 22:03:28 472 macb ---a-------I--- 0 0 12036 [MFT FILE_NAME] WINDOWS\Prefetch\G.EXE-24E91AA8.pf

472 macb ---a-------I--- 0 0 12036 [MFT FILE_NAME] WINDOWS\Prefetch\GEXE-2~1.PF

472 macb ---a-------I--- 0 0 12036 [MFT STD_INFO] WINDOWS\Prefetch\GEXE-2~1.PF

Fri Apr 27 2012 22:04:18 472 mac. ---a-------I--- 0 0 12035 [MFT STD_INFO] WINDOWS\Prefetch\WEXE-0~1.PF

Fri Apr 27 2012 22:05:03 472 macb ---a-------I--- 0 0 12040 [MFT FILE_NAME] WINDOWS\Prefetch\P.EXE-04500029.pf

472 macb ---a-------I--- 0 0 12040 [MFT FILE_NAME] WINDOWS\Prefetch\PEXE-0~1.PF

472 ...b ---a-------I--- 0 0 12040 [MFT STD_INFO] WINDOWS\Prefetch\PEXE-0~1.PF

Fri Apr 27 2012 22:08:46 608 mac. rh------------- 0 0 10850 [snip]

[MFT FILE_NAME] WINDOWS\Prefetch\R.EXE-19834F9B.pf

472 macb ---a-------I--- 0 0 12049 [MFT FILE_NAME] WINDOWS\Prefetch\REXE-1~1.PF

472 macb ---a-------I--- 0 0 12049 [MFT STD_INFO] WINDOWS\Prefetch\REXE-1~1.PF

Fri Apr 27 2012 22:09:01 472 mac. ---a-------I--- 0 0 12049 [MFT STD_INFO] WINDOWS\Prefetch\REXE-1~1.PF

[snip]

We can also prove that these executables ran by examining the prefetch hash. You can use a python script I wrote a while back for this:

$ python prefetch_hash.py -x -p "\device\harddiskvolume1\WINDOWS\system32\systems\r.exe"

R.EXE-19834F9B.pf

$ python prefetch_hash.py -x -p "\device\harddiskvolume1\WINDOWS\system32\systems\p.exe"

P.EXE-4500029.pf

$ python prefetch_hash.py -x -p "\device\harddiskvolume1\WINDOWS\system32\systems\w.exe"

W.EXE-A1E603F.pf

$ python prefetch_hash.py -x -p "\device\harddiskvolume1\WINDOWS\system32\systems\g.exe"

G.EXE-24E91AA8.pf

We can see staging taking place here along with documents:

Fri Apr 27 2012 22:07:10,456,macb,-------------D-,0,0,12041,[MFT FILE_NAME] WINDOWS\system32\systems\1

Fri Apr 27 2012 22:07:10,456,...b,---------------,0,0,12041,[MFT STD_INFO] WINDOWS\system32\systems\1

Fri Apr 27 2012 22:07:38,432,macb,---a-----------,0,0,12044,[MFT FILE_NAME] WINDOWS\system32\systems\1\CONFID~3.PDF

Fri Apr 27 2012 22:07:38,432,macb,---a-----------,0,0,12044,[MFT FILE_NAME] WINDOWS\system32\systems\1\confidential3.pdf

Fri Apr 27 2012 22:07:38,432,macb,---a-----------,0,0,12044,[MFT STD_INFO] WINDOWS\system32\systems\1\CONFID~3.PDF

Fri Apr 27 2012 22:07:44,432,macb,---a-----------,0,0,12045,[MFT FILE_NAME] WINDOWS\system32\systems\1\CONFID~4.PDF

Fri Apr 27 2012 22:07:44,432,macb,---a-----------,0,0,12045,[MFT FILE_NAME] WINDOWS\system32\systems\1\confidential4.pdf

Fri Apr 27 2012 22:07:44,432,macb,---a-----------,0,0,12045,[MFT STD_INFO] WINDOWS\system32\systems\1\CONFID~4.PDF

Fri Apr 27 2012 22:07:48,432,macb,---a-----------,0,0,12046,[MFT FILE_NAME] WINDOWS\system32\systems\1\CO20EF~1.PDFFri Apr 27 2012 22:07:48,432,macb,---a-----------,0,0,12046,[MFT FILE_NAME] WINDOWS\system32\systems\1\confidential5.pdf

Fri Apr 27 2012 22:07:48,432,macb,---a-----------,0,0,12046,[MFT STD_INFO] WINDOWS\system32\systems\1\CO20EF~1.PDF

We’ll consider the exfiltration complete at the end of a file transfer- in this case it is an ftp connection:

Fri Apr 27 2012 22:10:14,0,macb,---------------,0,0,-1,[SOCKET] PID:4 172.16.150.20:1365 6(TCP) offset: 0x0x82228518

Fri Apr 27 2012 22:10:14,368,.a..,---a-----------,0,0,12031,[MFT STD_INFO] WINDOWS\system32\systems\g.exe

Fri Apr 27 2012 22:11:03,344,.a..,---a-----------,0,0,1818,[MFT STD_INFO] WINDOWS\system32\drivers\etc\services

Fri Apr 27 2012 22:11:03,344,.a..,---a-----------,0,0,22706,[MFT STD_INFO] WINDOWS\system32\ftp.exe

Fri Apr 27 2012 22:11:13,472,macb,---a-------I---,0,0,12052,[MFT FILE_NAME] WINDOWS\Prefetch\FTP.EXE-0FFFB5A3.pf

Fri Apr 27 2012 22:11:13,472,macb,---a-------I---,0,0,12052,[MFT FILE_NAME] WINDOWS\Prefetch\FTPEXE~1.PF

Fri Apr 27 2012 22:11:13,472,macb,---a-------I---,0,0,12052,[MFT STD_INFO] WINDOWS\Prefetch\FTPEXE~1.PF

The following documents in red were exfiltrated:

Fri Apr 27 2012 22:07:38 432 macb ---a----------- 0 0 12044 [MFT FILE_NAME] WINDOWS\system32\systems\1\CONFID~3.PDF

432 macb ---a----------- 0 0 12044 [MFT FILE_NAME] WINDOWS\system32\systems\1\confidential3.pdf

432 macb ---a----------- 0 0 12044 [MFT STD_INFO] WINDOWS\system32\systems\1\CONFID~3.PDF

Fri Apr 27 2012 22:07:44 432 macb ---a----------- 0 0 12045 [MFT FILE_NAME] WINDOWS\system32\systems\1\CONFID~4.PDF

432 macb ---a----------- 0 0 12045 [MFT FILE_NAME] WINDOWS\system32\systems\1\confidential4.pdf

432 macb ---a----------- 0 0 12045 [MFT STD_INFO] WINDOWS\system32\systems\1\CONFID~4.PDF

Fri Apr 27 2012 22:07:48 432 macb ---a----------- 0 0 12046 [MFT FILE_NAME] WINDOWS\system32\systems\1\CO20EF~1.PDF

432 macb ---a----------- 0 0 12046 [MFT FILE_NAME] WINDOWS\system32\systems\1\confidential5.pdf

432 macb ---a----------- 0 0 12046 [MFT STD_INFO] WINDOWS\system32\systems\1\CO20EF~1.PDF

It may be a little difficult to tell just from the timeline, but it looks like these files may have been compressed using RAR and ftp’d out:

Fri Apr 27 2012 22:07:44 [snip]

432 macb ---a----------- 0 0 12046 [MFT FILE_NAME] WINDOWS\system32\systems\1\confidential5.pdf

432 macb ---a----------- 0 0 12046 [MFT STD_INFO] WINDOWS\system32\systems\1\CO20EF~1.PDF

Fri Apr 27 2012 22:08:46 608 mac. rh------------- 0 0 10850 [MFT STD_INFO] Documents and Settings\binge\APPLIC~1

344 macb -------------D- 0 0 12048 [MFT FILE_NAME] Documents and Settings\binge\Application Data\WinRAR

344 m.cb --------------- 0 0 12048 [MFT STD_INFO] Documents and Settings\binge\Application Data\WinRAR

472 macb ---a-------I--- 0 0 12049 [MFT FILE_NAME] WINDOWS\Prefetch\R.EXE-19834F9B.pf

472 macb ---a-------I--- 0 0 12049 [MFT FILE_NAME] WINDOWS\Prefetch\REXE-1~1.PF

472 macb ---a-------I--- 0 0 12049 [MFT STD_INFO] WINDOWS\Prefetch\REXE-1~1.PF

Fri Apr 27 2012 22:08:59 360 .a.. -hsa----------- 0 0 10905 [MFT STD_INFO] Documents and Settings\binge\Application Data\desktop.ini

368 .a.. ---a----------- 0 0 12033 [MFT STD_INFO] WINDOWS\system32\systems\r.exe

344 .a.. --------------- 0 0 12048 [MFT STD_INFO] Documents and Settings\binge\Application Data\WinRAR

Fri Apr 27 2012 22:09:01 472 mac. ---a-------I--- 0 0 12049 [MFT STD_INFO] WINDOWS\Prefetch\REXE-1~1.PF

Fri Apr 27 2012 22:10:14 0 macb --------------- 0 0 -1 [SOCKET] PID:4 172.16.150.20:1365 6(TCP) offset: 0x0x82228518

368 .a.. ---a----------- 0 0 12031 [MFT STD_INFO] WINDOWS\system32\systems\g.exe

Fri Apr 27 2012 22:11:03 344 .a.. ---a----------- 0 0 1818 [MFT STD_INFO] WINDOWS\system32\drivers\etc\services

344 .a.. ---a----------- 0 0 22706 [MFT STD_INFO] WINDOWS\system32\ftp.exe

Fri Apr 27 2012 22:11:13 472 macb ---a-------I--- 0 0 12052 [MFT FILE_NAME] WINDOWS\Prefetch\FTP.EXE-0FFFB5A3.pf

472 macb ---a-------I--- 0 0 12052 [MFT FILE_NAME] WINDOWS\Prefetch\FTPEXE~1.PF

472 macb ---a-------I--- 0 0 12052 [MFT STD_INFO] WINDOWS\Prefetch\FTPEXE~1.PF

Conclusion

As we can see there is value in creating timelines from memory artifacts. In this case we can see when the attacker first got on the machine, when they ran various tools, when they took things from the machine and what they took. We hope you enjoyed this post and that you will find the timelining capability useful in your investigations! If you have any questions, please feel free to reach out to me by email or by twitter (@gleeda)

[Archive of Volatility Labs]

Thursday, May 23, 2013

MoVP II - 2.3 - Creating Timelines with Volatility

No comments:

Post a Comment