Thursday, July 25, 2013

New weapon, Emailtime!


I often rely on timelines to tell the story. However it’s imperative to understand how the story was constructed to do this effectively.

Thanks to tools like log2timeline and plaso it’s easy to create timelines! Like any tool it’s helpful to understand how these work.  I am not implying you need to start brogramming, but you should at least learn the capabilities of the tools. This primarily requires understanding what input modules or parsers are available (and how they are invoked). If you’re relying strictly on timelines for analysis this knowledge should enable you to understand if the "entire story” is being told.

For instance, according to the timeline below, on March 4, 2012 at 00:28:17, a Windows Application (McAfee) Event Log entry was created. The description of this event states “The Scan was unable to scan password protected file 2011-W2.zip\\2011-W2.pdf. Scan engine version used is 5400.1158 DAT version 6498.0000.”

  
Looking at the context of this event I don’t see any notable activity that could be contributable to the source of this event log entry. However, taking a step back from this timeline example, knowing what I am NOT seeing could equally important to what is shown…

According to a 2012 Trend Micro report, Spear-Phishing Email: Most Favored APT Attack Bait, “91% of targeted attacks involve spear-phishing emails, reinforcing the belief that spear phishing is a primary means by which APT attackers infiltrate target networks.” Thus adding e-mail as a source in a timeline might be insightful.

As displayed below, seconds before the event log was created, an e-mail was received. This e-mail contained the attachment “2011-W2.zip”.

Now you probably want to know how e-mail magically appeared in the timeline above? At the SANS #DFIRSummit I introduced a new cmdline tool called Emailtime. The purpose of the tool is to create log2timeline CSV format timelines of PST files.

The tool was written in Python and is packaged as an EXE for distribution. It requires you to download the Developers version of Redemption as a dependency first. Oh, and run the Redemption installer as Administrator.

Special thanks to Steve Gibson (@stevegibson) the ninja for helping pull this tool together. Note the tool is super ALPHA/BETA/WHATEVER so use at your own risk. We look forward to bug reports and feedback. I already have a short list of “to do” items including adding time zone offset and MSG support but didn’t want it to hold back releasing any further.


The usage of the tool is pretty simple:

Usage:
emailtime.exe -p -e -H -F -S

Additionally, as shown in the examples below it has some neat filtering capabilities. This allows you to target e-mails of relevance quicker based on e-mails that contain keywords, attachments, and/or hyperlinks.

Examples:

Export all emails:
emailtime.exe -p "c:\outlook.pst" -e "c:\report\output.csv" -H "mycomputer"

Filter emails with hyperlinks only:
emailtime.exe -p "c:\outlook.pst" -e "c:\report\output.csv" -H "mycomputer" -F hyperlink

Filter emails with hyperlinks and attachments only:
emailtime.exe -p "c:\outlook.pst" -e "c:\report\output.csv" -H "mycomputer" -F hyperlink attachments

Filter emails containing string evil only:
emailtime.exe -p "c:\outlook.pst" -e "c:\report\output.csv" -H "mycomputer" -S evil

Provided the output of Emailtime, a log2timeline CSV file, you can import it to a new 4n6time database for review (File > Create Database).  Alternatively, you can append it into an existing timeline database to overlay it with other timelines (File > Append Database).  



9 comments:

  1. This comment has been removed by the author.

    ReplyDelete
  2. Hey Dave! You should ask Erik Kristensen to add this to the new 3.0 SIFT Kit, assuming Redemption will run under Linux.
    Thanks
    John

    ReplyDelete
    Replies
    1. Hey John, long time! Unfortunately it will only run under Windows :-(

      Delete
  3. It appears the url for download doesn't work. Is the program still available for download?

    ReplyDelete
    Replies
    1. For some reason I dont get notifications when people comment. Sorry I just saw this and think the link if fixed now. In the future don't ever hesitate to reach out to me directly at david.nides@gmail.com (twitter@davnads)

      Delete
  4. Hmm, I'm trying to visualize how this could affect something as complex as eDiscovery..

    ReplyDelete
    Replies
    1. Hopefully it puts FTI out of business!

      Delete
  5. Good Job, Thank you for presenting a wide variety of information that is very interesting to see in this artikle


    karimunjawa
    and furniture jepara
    or mebel jepara
    and tenun

    ReplyDelete