conversational forensics". You enthusiastically tell them about all the amazing artifacts you have found in your timeline, and then use this great opportunity to ask them some really hard questions. The conversation takes a turn to hands on the keyboard as Your boss looks over your shoulder...
Your boss asks "pull up those 64 files on the screen that are highlighted as red in your timeline." There is an awkward pause in the conversation as you realize you forgot your Encase dongle at home. Next you feel your hands getting sweaty as you know you don't have SIFT installed either. Just before you start crying in fear of humiliation, you remember that imdisk, a free image mounting utility, is installed on your computer.
As you take a deep breath of air and regain your composure your able to quickly mount the DD image in read-only mode. You start digging through the file system for the 64 files... Minutes go by and you finally find the first file. At this point you realize this process of looking up file paths in your timeline and opening files is a manual and time consuming effort..but you continue on because there is no way of automatically tieing items in your timeline to logical files in the mounted disk image (even if you did have SIFT, Encase, or some other fancy tool).
30 mins go by and your still looking for the last few files.. You notice your bosses eyes are starting to close. The next thing you know he's sleeping in his chair. He wakes up 15 mins later and says he had this dream that Dav Nads came up with this idea on how to mesh timelines, kittens, and data from hard disk images all together... and he was right .. well atleast not about the kittens part :-)
I hope you enjoyed my made up story. I am on vacation this week and REALLY bored without any DFIR going on. Lol. Anyways...
As alluded to in Timeline Analysis: The Hybird Approach there's many approaches to creating timeline data. Some prefer a "targeted" approach which only presents specific artifacts on a timeline and others prefer a more "kitchen sink" approach where many artifacts are presented.
Regardless of your flavor, when it comes to reviewing timelines, I am sure you, like me, find yourself jumping between reviewing timelines (e.g. Excel, l2t_Review) and forensic applications. A few reasons I personally do this are to:
- Gain a better understanding of the artifacts displayed in my timeline
- Confirm the accuracy of my timeline data
- Look at the contents of a file
So extending on Timeline Analysis - What's missing & What's coming I decided to brainstorm ideas to address this frustration:
- Timelines contains file name and full path information of source artifact - this is good!
- You can mount disk images easily with imdisk or ftkimager - okay now I have access to the data where the source artifacts are stored
- The absolute path/ drive letter (e.g. C:\windows) in the timeline will not typically match that of your mounted disk image (e.g. E:\) - Easy enough to hack a fix with some Python
My next challenge was to determine a means to review files.. Initially it occurred to me I could open files with their default viewer but as Corey Harrell (@corey_harrell) pointed out that's not such a good idea because then your exposed to clientside exploits tied to specific vulnerabilities in apps!
So I started searching for an open source Python based review module and came up dry. However I did come across a REALLY cool Windows-based application called Universal Viewer that suppports a sleuth of file types and modes including native, text, binary, and hex!
So as you can imagine I incorporated all of these ideas into the Windows version (working on equivlent capability in other OS versions) of my l2t_R tool!!
Just three simple steps:
1.) Mount disk image with tool of choice (e.g. imdisk, ftkimager, encase)
2.) Specify in l2t_Review what drive letter is assigned to the mounted disk image
|Select mounted image path|
4.) The File Viewer is automatically opened with the file. You can change default view mode (native, hex, text, etc.) using settings. You can also specify in settings whether you want multiple instance of file viewer to be opened simultaneously or not. So every time you open a new file it will either open it in the same instance or a new instance.
|File displayed in viewer in Hex mode. Can also view natively|