Create a Super Timeline with TACTICAL/IREC Triage Image
Introduction
In this short blog, I’ll demonstrate how you can create a Super Timeline using a forensic triage image created with a tool called IREC/TACTICAL.
Something bad has happened on a critical machine of yours. Unfortunately, monitoring tools such as SysMon, EDR etc. were not installed. But you know for a fact that a threat actor logged on to the machine. You have a gut feeling that the machine crashing and behaving erratically is related to suspicious activity spotted on rest of the network. How do you proceed? Do you selectively check artifacts after artifacts until you give up? How about you give Super Timeline a chance?
Before we begin, let me quickly walk you through the technical terms.
Super Timeline: Think of it as a motherload of events put together in a sequential manner which help us identify what happened on a system of interest before, on or after a crucial action took place.
The action(also called a pivot point) could be anything you deemed to be suspicious in nature and warrants further investigation. To list a few:
- a malware being detected.
- attempts of unauthorized login.
- attempts to ex-filtrate sensitive data.
- unauthorized software being installed.
Log2Timeline: Also called as plaso, this software is used to create timelines. We can literally throw entire disk-images and it will parse (process into meaningful information) it for you! It is an extensive framework, difficult to get your head around it in one go so I’ll ensure this walkthrough helps you at-least get started without(hopefully) any errors.
IREC/TACTICAL (by Binalyze): For experienced DFIR professionals, think of it as CyLR on steroids. Imaging a whole disk is not always practical while responding to a critical incident where speed takes precedence to minimize the on-going damage. Hence, we choose a utility which can extract only those evidence types which can answer our questions quickly. TACTICAL is a brilliant piece of software which collects >120 evidence types from a Live machine.
To list a few evidence types:
- Prefetch: Helps us answer which programs executed on the machine.
- $MFT, $UsnJrnl & $LogFile: Helps us identify files and folders on that machine. Were there any files created/deleted/modified by a threat actor?
- EVTX: Windows Events Log files require no introduction. In the absence of centralized logging, locally present EVTX files are of value to an investigation.
I would like to highlight that this blog can also be used in conjunction with any Forensic Collector [like our old friend CyLR] which collects them into a .E01, .VHD or even a DIR structure as shown below:
Acquiring a Forensic Image
TACTICAL can be run in a variety of ways as explained in their Command Line Options. We are going to skip the default profile and go with my custom one which has proved to be the most useful in the field while defending a network during an incident.
TACTICAL-2.7.0.exe --offline --license [Your License Number] --profile custom -clp -rbi -dri -pri -scr -avi -mbr -chst -fhst -ihst -ehst -mftcsv -mft -ntfslog -usnjrn -hiv -arpt -hosts -evt -evtx -wmiasc -wmicec -pf -adb -amc -rfc -adl -apcl -crtnh -srch -tml -evryh -flz --no-wait --case-dir "C:\Tactical_Output"Explanation of Evidence Types
Note: But Vikas, Memory image? pagefile.sys? hiberfile.sys? VSS snapshots? You’re treading on a landmine here. Without a doubt each one of them have events of forensic value but you have to decide on a case-by-case basis whether it’s necessary. It’s a significant tradeoff between speed and the timely ability to respond to an incident. I’ll give you a small example to get started with.
[Need for Speed] An example: our beloved Ransomware attack. They follow a fire-and-forget model with some cases as exception where they steal your data and persist in your network via backdoors to further press their demand. If the Ransomware execution tripped some alarms while encrypting, speed is of value to mitigate damage. A quick triage image will do wonders for you.
[Data Leakage] An example: If an employee has been suspected of stealing and uploading sensitive documents to the Dark Web, speed isn’t of much value here, accuracy is. You can definitely take some time and collect a memory image, pagefile.sys, hiberfil.sys and even VSS snapshots to look back into time and be sure of his/her actions.
The output of the above command is an encrypted EPPC file which needs to be transferred over to the analyst’s machine and decrypted using this command:
TACTICAL-2.7.0.exe --decrypt --license [Your License Number] --case-path "C:\Cases\TrashPanda Associates\20210919115601-DESKTOP-IKAI50S.eppc" --output-dir "C:\Cases\TrashPanda Associates\Acquisitions Decrypted"At this point I am unsure about the tool’s ability to export the evidence to a ZIP, VHDX etc.
After a successful decryption, the contents would look similar to below:
The tool automatically parses various artifacts for you automatically, such as:
- Prefetch [Evidence of execution]
- AmCache [Evidence of execution]
- Contents of Recyle Bin [Evidence of file deletion]
- Browser History [Evidence of URL visits]
- Contents of the MFT parsed into a CSV file [Evidence of file modification]
See the case from an eagle eye’s view with Case.html:
The automatic parsing is extremely helpful for an analyst to quickly determine what transpired on a machine.
Let’s dig deeper and build ourselves a Super Timeline!
Timeline — Setting up the Environment
On Windows
We can use plaso-20191203 off-the-shelf which contains pre-compiled binaries! Don’t get too excited, it has its own share of flaws primarily because it was compiled for Windows.
Simply unzip the contents to suitable location:
“Correct we are no longer providing the PyInstaller packaged Windows builds.” — Source
The plaso-20191203 release is the last “official” Windows release and is heavily out-of-date. There are chances you might encounter problems while processing artifacts in future. It’s recommended you either use Docker or a Linux box to create Super Timelines. Getting deeper into the installation would be out of scope here, but if there’s even a single request — I’ll branch off another blog.
On Linux
On Ubuntu Desktop 20.04.3 LTS, Python 3.8.10 is installed by default, which is a pre-requisite.
To install Log2timeline, run these commands in a Terminal window:
sudo add-apt-repository ppa:gift/stable
sudo apt-get update
sudo apt-get install plaso-toolsCreating a Super Timeline
I highly recommend using Linux to create Super Timelines but for the purpose of demonstration and ease, we’ll use the Windows release here. Linux enthusiasts, I have something for you in the later part of this blog.
In its simplest form, it’s a two-step process:
- Using log2timeline, create the plaso.dump [container file for all your events] from your image file(a DIR, E01 etc.)
- Using psort, export the contents of plaso.dump into a CSV.
- OPTIONAL: Using grep, eliminate as much noise as possible.
Option 1: Without inclusion of MFT entries [Comparatively faster]
NTFS’ $MFT keeps a record of each and every file present on the particular partition. Remember that we’re talking about a huge amount of data here. It’s not always fruitful to parse and include a list of all the files/folder into our Super Timeline.
An example: A threat actor used PsExec on the DC to install ScreenConnect on 10 machines on the network to have multiple ways of persisting in a network. A better candidate to parse and include the $MFT entries would be the DC, and not any of the 10 machines, unless you have interesting evidence/activity happening on them.
log2timeline.exe -z UTC --status_view window --parsers "win7,!filestat" "C:\Cases\TrashPanda Associates\Acquisitions Decrypted\Plaso Dump\plaso.dump" "C:\Cases\TrashPanda Associates\Acquisitions Decrypted\20210919115601-DESKTOP-IKAI50S\Content\C"Explanation:
-z UTC : Log2timeline defaults to UTC while exporting but you can set a specific timezone using this switch.--status_view window : An option argument which displays events being parsed in real time. --parsers 'win7,!filestat' : Parsers extract events from the content of a file. You can find a little more explanation after this section. "C:\Cases\TrashPanda Associates\Acquisitions Decrypted\Plaso Dump\plaso.dump"
To dump the extracted events into a "container" file. Post which, we can manipulate the container into whichever way we like. One of those ways: you guessed it right - EXTRACTING THEM TO A CSV!"C:\Cases\TrashPanda Associates\Acquisitions Decrypted\20210919115601-DESKTOP-IKAI50S\Content\C"
This is the source file from where log2timeline is supposed to read the information. You can also specify a full disk image such as .E01 or .dd file. In our case, we're pointing the tool to the base directory which was the C drive of our acquisition.
Selection of Parsers:
A Complete List of Parsers can be found here. For our demonstration we have:
1. Selected a preset collection of parsers called win7 which consists of these parsers(saves us the trouble of listing them each individually):
custom_destinations, esedb/file_history, olecf/olecf_automatic_destinations, recycle_bin, winevtx, win_gen
2. Excluded filestat with a “!”. The filestat simply extracts the timestamps of the files which log2timeline parses(file contents of the triage image.) It does not parse the MFT to extract timestamps of all files that were on the subject file system. It’s a personal choice if you want to include this plugin however, I recommend parsing MFT if you want a more complete picture.
If everything goes well, this is how the tool looks like in action:
After the tool finishes, a general practice which I follow is to take a peek into the plaso.dump file using pinfo to confirm the tool was successful.
pinfo.exe "C:\Cases\TrashPanda Associates\Acquisitions Decrypted\Plaso Dump\plaso.dump"---SNIPPET--
***********Session: a2fdfc43-e3d5-439f-b54a-6ab4830764e1 **********
Start time : 2021-09-19T07:33:30.680969Z
Completion time : 2021-09-19T07:36:15.418573Z
Product name : plaso
Product version : 20191203
Command line arguments : [Omitted for better reading]****************Events generated per parser ************************
Parser (plugin) name : Number of events
--------------------------------------------------------------------
appcompatcache : 825
bagmru : 147
bam : 35
chrome_27_history : 61
explorer_mountpoints2 : 5
explorer_programscache : 2
mrulist_string : 14
mrulistex_shell_item_list : 7
mrulistex_string : 10
mrulistex_string_and_shell_item : 9
mrulistex_string_and_shell_item_list : 1
msie_zone : 54
networks : 2
prefetch : 1005
shell_items : 465
userassist : 115
windows_boot_execute : 2
windows_run : 10
windows_sam_users : 9
windows_services : 657
windows_shutdown : 1
windows_task_cache : 623
windows_timezone : 1
windows_typed_urls : 3
windows_usb_devices : 6
windows_version : 4
winevtx : 215955
winlogon : 4
winreg_default : 373796
Total : 593828
-----------------------------------------------------------------------SNIPPET--
Now that we have a successful plaso.dump, the final step is to export the events to a human readable CSV
psort.exe -z "UTC" -o L2tcsv "C:\Cases\TrashPanda Associates\Acquisitions Decrypted\Plaso Dump\plaso.dump" -w "C:\Cases\TrashPanda Associates\Acquisitions Decrypted\Timeline\plaso.csv"Explanation:
-o L2tcsv : Output events to log2timeline.pl legacy CSV format
-w : Where to write the CSVIf all goes well (stressing on this phrase because our demo is based on a Microsoft Windows OS where things go awfully wrong performing the simplest of actions), the tool should finish without any errors, giving us a nice CSV file.
OPTIONAL: You can reduce the noise using grep. This utility is not present in Windows so I quickly performed this on a Linux box. You can always install Windows Subsystem for Linux which is pretty nifty for operations like this.
grep -a -v -i -f '/home/vikas/Desktop/Demo/Timeline Export/timeline_noise.txt' '/home/vikas/Desktop/Demo/Timeline Export/plaso.csv' > '/home/vikas/Desktop/Demo/Timeline Export/supertimeline.csv'At its very simplest, the contents of timeline_noise.txt:
Content.IE5
Temporary\ Internet\ Files
IETldCache
PrivacIE
ACPI
MSIE\ Cache\ File
\(\$FILE\_NAME\)
THREAD
DLL\ LOADTIMENOTE: Please ensure there are NO blank rows otherwise your exported CSV would come out to be blank. Don't ask me how I know this.
Opening the Super Timeline in Eric Zimmerman’s Timeline Explorer:
How beautiful is that? Instead of looking here and there, hopping across various artifacts, you are presented with a unified dashboard of (almost)everything that transpired on a machine of interest!
Note: No, this is obviously not scale-friendly. But there are always a few very interesting systems during/after an attack which warrant an extensive investigation. For e.g. a threat actor accessed the TrashPanda Associates CEO’s workstation over RDP and attempted to steal sensitive information. Now in this case you would like to be absolutely sure about the TA’s actions. Enter Super Timeline!
Option 2A: With inclusion of MFT entries
You would want to parse the $MFT file to gain insight into what files/folders were present on the system at the time of evidence collection.
An example: A threat actor dropping a backdoor in \system32\ DIR and backdating the executable creation/modification time to blend in. A careful examination of the $MFT report might give it away!
For an in-depth analysis of the file-system, it’s recommended to parse other NTFS artifacts such as $UsnJrnl and $LogFile.
An example: A threat actor archiving sensitive data into a file and subsequently deleting it from disk won’t pop-up in your parsed $MFT report. If the data hasn’t rolled over, it shall be visible in $UrnJrnl report!
For this demo we’ll be using a Linux box. Can I get a sudo-555?
Provided you’ve followed the instructions in “Timeline — Setting up the Environment”, the below command should execute without any errors:
log2timeline.py -z UTC --status_view window --parsers 'win7,mft,!filestat' --storage-file '/home/vikas/Desktop/Demo/Plaso Dump/plaso.dump' '/home/vikas/Desktop/Demo/Triage Image/20210919115601-DESKTOP-IKAI50S/Content/C'Explanation:
--storage-file : location to store the Plaso Dump file--parsers 'win7,mft,!filestat' : Notice we included the mft parser here in addition to the other two.
A quick confirmation using pinfo.py confirms that MFT entries were parsed as well!
****************Events generated per parser ************************
Parser (plugin) name : Number of events
--------------------------------------------------------------------
amcache : 569
appcompatcache : 825
bagmru : 147
bam : 35
chrome_27_history : 68
explorer_mountpoints2 : 5
explorer_programscache : 1
mft : 5504631
mrulist_string : 14
mrulistex_shell_item_list : 7
mrulistex_string : 10Let’s extract the timeline CSV:
psort.py --output_time_zone "UTC" -o L2tcsv '/home/vikas/Desktop/Demo/Plaso Dump/plaso.dump' -w '/home/vikas/Desktop/Demo/Timeline Export/plaso.csv'Explanation:
--output_time_zone "UTC" : The -z argument is not supported by psort. This is one of the many tine differences you'll come across while dealing with Plaso/Log2timeline releases specific to Linux and Windows. After a year or so when the tool completes, reduce the noise using grep as demonstrated earlier. In the final Timeline CSV, we now have an extra and very useful artifact called NTFS file stat which is a result of parsing the $MFT file:
NOTE: $MFT will track only the files which are present on the disk and not permanently deleted. Parsing the $UsnJnrl file is recommended if you suspect that the threat actor might have permanently deleted some files. This is a little out of scope for this blog.
[Hidden] Option 2B: The EricZimmerman Way
Although log2timeline has an in-built MFT parser, I personally prefer:
- Export the MFT bodyfile using MFTECmd
- Import the generated bodyfile into plaso.dump
- Use psort to export a CSV
- Reduce the noise using grep
A quick run-down of the commands:
On Windows [Exporting the MFT Bodyfile]MFTECmd.exe -f "C:\Cases\TrashPanda Associates\Acquisitions Decrypted\20210919115601-DESKTOP-IKAI50S\Content\C\$MFT" --body "C:\Cases\TrashPanda Associates\Acquisitions Decrypted\20210919115601-DESKTOP-IKAI50S\Content\C" --bdl COn Linux [Dumping the plaso dump file]log2timeline.py -z UTC --status_view window --parsers 'win7,!filestat' --storage-file '/home/vikas/Desktop/Demo/TheEricZWay/plaso.dump' '/home/vikas/Desktop/Demo/Triage Image/20210919115601-DESKTOP-IKAI50S/Content/C'[Adding EricZ's MFTECMD Bodyfile using mactime]log2timeline.py -z UTC --status_view window --parsers "mactime" --storage_file '/home/vikas/Desktop/Demo/TheEricZWay/plaso.dump' '/home/vikas/Desktop/Demo/TheEricZWay/20210919094524_MFTECmd_$MFT_Output.body' --log-file='/home/vikas/Desktop/Demo/TheEricZWay/SomeLogging.log.gz' --debug[Finally using psort.py to output CSV]psort.py --output_time_zone "UTC" -o L2tcsv '/home/vikas/Desktop/Demo/TheEricZWay/plaso.dump' -w '/home/vikas/Desktop/Demo/TheEricZWay/plaso.csv'[Cutting down the noise]grep -a -v -i -f '/home/vikas/Desktop/Demo/TheEricZWay/timeline_noise.txt' '/home/vikas/Desktop/Demo/TheEricZWay/plaso.csv' > '/home/vikas/Desktop/Demo/TheEricZWay/supertimeline.csv'
Why?
Reason 1: Size
Using Log2timeline's MFT Parser:
2.5 GB : plaso.csv
1.3 GB : supertimeline.csv (after reducing the noise)Compared to..
Using MFTECmd's MFT Bodyfile:
1.7 GB : plaso.csv
916 MB : supertimeline.csv (after reducing the noise)Yes, this is a demo which utilizes a not-so-busy workstation and the difference in size is not exactly noticeable but the real world statistics are in the favor of the EZ way.
Reason 2: Cleanliness/Legibility
Using Log2timeline’s MFT Parser, the NTFS File Stat isn’t exactly readable at first glance. The data is still in there and you can filter it just fine.
But EZ takes the cake,
Well that was quick!
I hope Google returns this blog as a search result for budding DFIR professionals. I hope even strongly that they learn and while doing so, get stuck and find the answers themselves. I would appreciate any/all feedback & corrections.
Twitter: @vikas891
E-Mail: vikas891@gmail.com
