Incident Response - Filesystem Timeline Generation

There is no doubt that a well-generated and well-analysed timeline of events is key to understanding any intrusion. Building a timeline is a key skill for anyone working in Digital Forensics or Incident Response (DFIR).

The most basic method (and the one we all used to rely on until fairly recently) was for the investigator to copy/paste timestamps into a spreadsheet and then add some text explaining what happened. This definitely works well, but is the opposite of fast or efficient.

Speed and efficiency are so crucial in DFIR that you need to use tooling to generate timelines today. The difference is pretty stark. Instead of spending 2-3 hours to create a manual timeline, you can generate a filesystem timeline in a few minutes at most.

In this post, I will look at some of the common command line tools used to generate timelines. There are, as with most things, lots of other choices, but these tools are an excellent starting point. The main thing to remember is that your choice of tool is likely to be constrained by the filesystem you are analysing!

Note: Throughout this, I am going to assume you are analysing the output as a CSV and opening it in a tool such as Timeline Explorer. I will also assume you can install any tools you need.

Windows - NTFS Timelines

Using MFTECmd.exe and TSK

This is probably the best, and fastest, approach for NTFS timelines.

Requirements

• A copy of the MFT. This can be a full disk image or just a copy of the $MFT file itself (such as from a KAPE extract)
• Access to the mactime script from The Sleuth Kit (TSK)

Workflow

First, run mftecmd.exe against the $MFT to generate a "bodyfile". An example of the command line for this is: (assuming the evidence is the MFT for the C:\ drive of a target system)

MFTECmd.exe -f "\path\to\$MFT" --body "\path\to\outputfolder" --bodyf filename.body --blf --bdl C:        

In use, it will look something like this:

This will produce a "body" file timeline. Bodyfiles are a machine-readable timeline. We can use this as our "final" timeline but it isn't always the easiest thing to read - for example, the entries look like this:

To make life easier, we can convert this to a human-readable CSV document with the mactime command from The Sleuth Kit. The syntax is

mactime -z UTC -y -d -b /path/to/bodyfile STARTDATE..ENDDATE > /path/to/output/filesystem-timeline.csv        

The arguments used here are:

• -z The timezone from where the data was collected.
• -y Display datetimes in ISO8601 format.
• -d Display output in CSV format.
• -b location of the body file.
• STARTDATE and ENDDATE should be specified as YYYY-MM-DD..YYY-MM-DD.

In use, the output will look something like this.

Now you have a CSV version of the timeline, you can easily open it in Timeline Explorer and analyse away!

An alternative approach - The Sleuthkit Only

This actually takes about the same time to generate, however, it does require you to have a full disk image (E01, RAW, AFF). Collecting this can take a lot longer than a Triage collection of the $MFT.

Requirements

• A full disk image.
• Access to The Sleuth Kit
• This is probably best run from a Linux-based investigation host.

Workflow

The main change is that instead of using mftecmd.exe, you use fls to create the timeline. The command would be something similar to: (this example assumes you are running it from a Linux investigation system)

fls -r -m C: /path/to/evidence > /path/to/bodyfile        

(note: there is a space between the drive letter - C: here - and the start of the path)

Once you have built the bodyfile, you convert it into a human-readable (normally CSV) format with mactime as shown above.

Linux Filesystems.

Generating timelines from Linux evidence is a little bit more complicated, and this is really because there isn't really an equivalent for the $MFT. Most of the time, this means we need to run it against a live system or a full disk image, rather than having the relative ease of using a triage collection or just capturing the $MFT via EDR.

Another important consideration is that there are always limitations in the tools we use, and different filesystems lead to different issues. Some key considerations include:

• EXT3 does not have a file creation timestamp.
• EXT4 does have a file creation timestamp but this is not always identified by our tools. Often this is down to the tool making a call to something like os.stat() in Python which doesn't recover the creation timestamp. Until the tools get updated, we won't really see the full picture.
• Lots of tools simply don't work against XFS (especially The Sleuth Kit) and even more don't work against Btrfs/ZFS filesystems.
• Sometimes you might just have to buy a commercial tool. If you have this option then at the very least you will have an account manager you can complain to when it lies to you.

With that out of the way, the approaches we will consider are: Using The Sleuth Kit and using a triage collection tool called UAC. The second option (UAC), gives us an effective way to build timelines on XFS, Btrfs and other Linux files systems even if they aren't supported by TSK.

Using The Sleuth Kit against EXT4

If you have a full disk image, this is very, very quick to run. It works best on EXT4 but in principle, it can be used on EXT3 (you just won't get creation timestamps).

Requirements

• A full disk image in E01, AFF or raw format.
• A copy of The Sleuth Kit including mactime.

Workflow

This is very similar to how you would run it against MS Windows evidence. First run fls to create the bodyfile, then convert it with mactime.

fls -r -m / /path/to/evidence > /path/to/bodyfile        

mactime -z UTC -y -d -b /path/to/bodyfile STARTDATE..ENDDATE > /path/to/output/filesystem-timeline.csv        

An example of this is shown below.

As with Windows, it is often better to use Timeline Explorer from the Zimmerman tools to read this.

Using UAC against live systems or captured data (works on XFS/Btrfs)

UAC (Unix-like Artifacts Collector) is an incredible tool for rapidly collecting data from live systems or mounted images. The biggest advantage here is that it will analyse XFS and Btrfs data if you can mount the system.

At a very high level, UAC uses a collection profile (a predefined list of artifacts) to collect data from a target.

The profiles currently available are:

• full
• ir_triage
• offline

Full and ir_triage are similar, although the ir_triage profile collects less data and can be faster to run. Both also include recovering data from the /proc filesystem (memory), which is pointless on a mounted evidence item. However, as you can imagine, the offline profile skips this and is much more effective running against a mounted image.

In use, the syntax is pretty consistent.

uac -p {profile} (and/or) -a {artifact} EVIDENCEITEM OUTPUT        

With an offline profile, also use --mount-point to specify where the evidence is mounted.

This is an example of the output when running UAC an offline collection profile against an XFS formatted evidence item mounted at /mnt/xfs and storing the data in /tmp.

When it finishes, there will be a .tar.gz file in the output folder (/tmp in our example above) which contains a bodyfile folder. In here there is bodyfile.txt - which should look like this.

This is a timeline of the system data in bodyfile format. Now you can use mactime to convert this as previously identified.

mactime -z UTC -y -d -b /path/to/bodyfile STARTDATE..ENDDATE > /path/to/output/filesystem-timeline.csv        

When it runs, you should end up with CSV formatted output.

Using UAC against a live system is similar, but the arguments change - for example:

./uac -a bodyfile/bodyfile.yaml /tmp        

This command will run the bodyfile artifact against the live system it is run on and store the data in /tmp.

Tools

• The Sleuth Kit (fls, mactime, etc): https://www.sleuthkit.org/sleuthkit/download.php
• UAC: https://github.com/tclahr
• Zimmerman Tools (MFTECmd, Timeline Explorer, etc): https://ericzimmerman.github.io/#!index.md

Summary

Timelines are effectively a "forensic superpower," and being able to quickly build one is an essential skill for any incident responder. While you may have a go-to commercial tool, it definitely helps if you have the ability to rapidly build one using alternative methods.

When it comes to DFIR, the more tools and techniques you have available, the better you will be able to adapt to a given incident and resolve any issues quickly. If you are working in a Linux or multi-OS environment, one of the biggest challenges is finding support for filesystems other than EXT!

In Windows, we have a lot of options. One of the most efficient is to pull the $MFT with a triage tool and then use MFTECmd.exe and mactime. If you have a full disk image, then you can also just use The Sleuth Kit.

Linux is more complex. If it is an EXT family full disk image, then The Sleuth Kit is still an option. However, a faster way (and possibly the only way if you have XFS/Btrfs etc) might be to use UAC to build the bodyfile, then mactime to convert it.

#DFIR #timeline #infosec #cybersecurity #forensics #incidentresponse #cyber #security