WEBVTT 0:00:03.340000 --> 0:00:07.320000 In this video, we will create a timeline using SleuthKit and show you 0:00:07.320000 --> 0:00:10.720000 how to use Timeline Explorer, which is a very useful tool to analyze your 0:00:10.720000 --> 0:00:13.820000 timelines. Let's get started. 0:00:13.820000 --> 0:00:16.560000 Here we have a case called HackedBox. 0:00:16.560000 --> 0:00:18.840000 We'll use this case to create a timeline. 0:00:18.840000 --> 0:00:25.000000 We will be using a tool called SleuthKit FLS. 0:00:25.000000 --> 0:00:28.540000 What we want to do with this tool is generate a timeline of events that 0:00:28.540000 --> 0:00:31.500000 have happened against all the files in this forensic image. 0:00:31.500000 --> 0:00:35.300000 Here, we can see all the options available. 0:00:35.300000 --> 0:00:41.220000 From these options, we will need the name of the tool, FLS. 0:00:41.220000 --> 0:00:48.100000 Next, we need minus M to add from where our root directory will start. 0:00:48.100000 --> 0:00:52.680000 We will need O in the image offset because this is not a single file system. 0:00:52.680000 --> 0:00:56.760000 This is a complete disk, so we will need to specify at what exact space 0:00:56.760000 --> 0:00:58.920000 the partition of interest is in. 0:00:58.920000 --> 0:01:03.440000 We will also need minus Z to specify the time zone, and then we have the 0:01:03.440000 --> 0:01:11.180000 image. We will also be adding minus R to go recursively and minus A to 0:01:11.180000 --> 0:01:15.960000 display the dot entries. 0:01:15.960000 --> 0:01:19.700000 If we enter this, it tells us that it cannot determine the partition type 0:01:19.700000 --> 0:01:22.680000 because it is a disk, it is not a single partition. 0:01:22.680000 --> 0:01:27.440000 Media Manager has a tool called MediaManagerList, which can display the 0:01:27.440000 --> 0:01:30.860000 partitions found on the disk. 0:01:30.860000 --> 0:01:34.540000 Now that we have the partitions, we can specify the offset because this 0:01:34.540000 --> 0:01:36.700000 is the partition we need. 0:01:36.700000 --> 0:01:43.780000 The offset is minus O, and we can just copy this here. 0:01:43.780000 --> 0:01:47.840000 Now, let's try minus R as we want to go recursively through this image, 0:01:47.840000 --> 0:01:51.200000 and then we can say that we want our directory root to start with C. 0:01:51.200000 --> 0:01:55.160000 So we will have C colon, and then the full path to the file, and then 0:01:55.160000 --> 0:01:58.060000 we can add the time zone, which is PST. 0:01:58.060000 --> 0:02:01.900000 And now let's add the case itself. 0:02:01.900000 --> 0:02:03.960000 Let's press enter. 0:02:03.960000 --> 0:02:06.980000 This is what the output looks like. 0:02:06.980000 --> 0:02:10.900000 It will generate a body file, and the body file has an intermediate file 0:02:10.900000 --> 0:02:14.280000 which is separated with the pipe, which can be fed to another tool to 0:02:14.280000 --> 0:02:15.880000 generate a timeline. 0:02:15.880000 --> 0:02:21.960000 Let's go back, and this time, let's call bodyfile.txt. 0:02:21.960000 --> 0:02:24.880000 It may take a little bit of time, depending on the speed of the machine 0:02:24.880000 --> 0:02:28.220000 and the size of the forensic image, but let's just wait a little bit until 0:02:28.220000 --> 0:02:35.620000 this finishes. Now we can use the MacTime tool from the sleuthkit package, 0:02:35.620000 --> 0:02:37.660000 which will convert this bodyfile. 0:02:37.660000 --> 0:02:40.220000 Let's go here to see what options we have. 0:02:40.220000 --> 0:02:45.360000 We just need to specify that we have the minus B option to specify the 0:02:45.360000 --> 0:02:55.240000 bodyfile. And now let's type in bodyfile. 0:02:55.240000 --> 0:03:00.940000 Actually, we need to type in MacTime minus B, and then bodyfile.txt. 0:03:00.940000 --> 0:03:05.760000 Now we can generate the timeline by redirecting it. 0:03:05.760000 --> 0:03:08.600000 Let's type in timeline.csv. 0:03:08.600000 --> 0:03:12.360000 We'll be saving it in CSV format, because the timeline explorer will understand 0:03:12.360000 --> 0:03:18.780000 it. Also, I can make a comma separated value using the minus D option, 0:03:18.780000 --> 0:03:22.040000 allowing for the output to be in a comma delimited form. 0:03:22.040000 --> 0:03:27.640000 Let's add this option, minus D to our MacTime option, and now let it run. 0:03:27.640000 --> 0:03:34.520000 This will convert the bodyfile that we created and convert it to a timeline. 0:03:34.520000 --> 0:03:39.860000 Now, let's go to timeline.csv to see what it looks like. 0:03:39.860000 --> 0:03:42.920000 And we see that everything is comma separated. 0:03:42.920000 --> 0:03:54.260000 Now let's copy this timeline we created, and I want to add it to my Windows 0:03:54.260000 --> 0:04:04.520000 desktop so that we can use timeline explorer. 0:04:04.520000 --> 0:04:08.360000 Timeline Explorer is a very useful, easy to use tool, and as a lot of 0:04:08.360000 --> 0:04:10.820000 features, I'll show you a couple of them. 0:04:10.820000 --> 0:04:13.980000 Timeline Explorer is developed by Eric Zimmerman. 0:04:13.980000 --> 0:04:16.960000 As you may recall from the course, Eric has a lot of Windows forensic 0:04:16.960000 --> 0:04:19.400000 tools, and I highly recommend to use them. 0:04:19.400000 --> 0:04:22.480000 This tool is very easy to use. 0:04:22.480000 --> 0:04:27.940000 Let's go to File, Open, and then specify the file you want to open. 0:04:27.940000 --> 0:04:32.240000 It will take some time to load the whole file. 0:04:32.240000 --> 0:04:41.780000 Here we see that the tool organizes the items based on times, attributes, 0:04:41.780000 --> 0:04:46.160000 the modified access, the metadata of the file, the file name, and the 0:04:46.160000 --> 0:04:52.940000 line entry. One useful feature is the search. 0:04:52.940000 --> 0:04:58.300000 Say for instance that we want to search for a file named NTUser.Dad. 0:04:58.300000 --> 0:05:03.480000 Be mindful of where your scroll bar is. 0:05:03.480000 --> 0:05:06.560000 When we immediately scroll to the right, we are not able to see all of 0:05:06.560000 --> 0:05:11.040000 the data, but scrolling to the left allows us to see the rest of the data. 0:05:11.040000 --> 0:05:15.060000 Say we're interested in the timestamp. 0:05:15.060000 --> 0:05:19.280000 We can go to the drop down menu here and select timestamp so that it pins 0:05:19.280000 --> 0:05:21.340000 the timestamp for us. 0:05:21.340000 --> 0:05:27.500000 If we scroll, we still see that the timestamp is now fixed, which allows 0:05:27.500000 --> 0:05:30.740000 us to navigate easily through the results that we found and keep the timestamp 0:05:30.740000 --> 0:05:34.080000 because maybe it's the most important thing here for us. 0:05:34.080000 --> 0:05:38.540000 Also, if we go back to the search bar, we can click on the arrow buttons 0:05:38.540000 --> 0:05:44.940000 to go through the entries. 0:05:44.940000 --> 0:05:48.720000 If we no longer want the timestamp to be pinned, we can click on the box 0:05:48.720000 --> 0:05:51.200000 to the right of the drop down to unpin it. 0:05:51.200000 --> 0:05:54.540000 And if we want to clear the search results, we can click on the X button 0:05:54.540000 --> 0:05:59.980000 here. Another useful feature that I like is the color column. 0:05:59.980000 --> 0:06:02.860000 This has been added so you can use it to group entries based on colors 0:06:02.860000 --> 0:06:06.440000 because Timeline Explorer can differentiate events. 0:06:06.440000 --> 0:06:09.860000 Let's now go to the legend. 0:06:09.860000 --> 0:06:12.360000 Here we can see a breakdown of what each color means. 0:06:12.360000 --> 0:06:16.560000 So, if a file is opening, it will have this light green color. 0:06:16.560000 --> 0:06:21.660000 Web history will be yellow, deleted data will be black, execution is red, 0:06:21.660000 --> 0:06:25.940000 device or USB usage will be blue, folder opening will be dark green, and 0:06:25.940000 --> 0:06:28.320000 the log file will be white. 0:06:28.320000 --> 0:06:33.060000 Colors are helpful because you can group based on these types of events. 0:06:33.060000 --> 0:06:36.880000 So here, all we need to do is right click on the color column and select 0:06:36.880000 --> 0:06:41.040000 group by this column. 0:06:41.040000 --> 0:06:46.220000 Here we can see that the timeline has been grouped based on color. 0:06:46.220000 --> 0:06:50.520000 So here, we can see only the deleted files. 0:06:50.520000 --> 0:06:56.260000 Here, we see all the opening files. 0:06:56.260000 --> 0:06:59.980000 So as you can see here, we can easily manage to filter our results using 0:06:59.980000 --> 0:07:04.620000 this feature. If you no longer want it, you can just ungroup it and everything 0:07:04.620000 --> 0:07:07.040000 will go back to default. 0:07:07.040000 --> 0:07:10.160000 Another great feature in Timeline is being able to narrow down events 0:07:10.160000 --> 0:07:12.280000 to a specific time. 0:07:12.280000 --> 0:07:15.540000 We will be dealing with what we call temporal proximity. 0:07:15.540000 --> 0:07:19.100000 Here, what we can do is go to this icon at the right of the timestamp 0:07:19.100000 --> 0:07:20.780000 column and click it. 0:07:20.780000 --> 0:07:24.500000 Now, we can filter based on a specific time period. 0:07:24.500000 --> 0:07:45.200000 Let's try it out and select only events that have occurred in 2015. 0:07:45.200000 --> 0:07:51.240000 Now, click OK. Now, we see a really short list and we have narrowed down 0:07:51.240000 --> 0:07:56.340000 the events. As we scroll through, only events from 2015 are showing. 0:07:56.340000 --> 0:08:05.600000 Under the timestamps column, we can also sort from ascending or descending. 0:08:05.600000 --> 0:08:09.440000 So as you can see, this is quite useful. 0:08:09.440000 --> 0:08:11.920000 We can apply the best fit to the file name. 0:08:11.920000 --> 0:08:16.440000 This tries to fit it in the best way possible. 0:08:16.440000 --> 0:08:21.200000 Now, let's group by color. 0:08:21.200000 --> 0:08:27.840000 As we can see here, we narrow down the results even further to all results 0:08:27.840000 --> 0:08:30.160000 that happened in 2015. 0:08:30.160000 --> 0:08:38.980000 These are the open and deleted results based on the groups that are found. 0:08:38.980000 --> 0:08:42.420000 Timeline Explorer is quite useful and it makes analyzing timelines very 0:08:42.420000 --> 0:08:45.980000 easy. You can even save. 0:08:45.980000 --> 0:08:57.340000 When you open Timeline again, if you've done some organizing, you can 0:08:57.340000 --> 0:09:15.860000 go ahead and specify the session you want and open it. 0:09:15.860000 --> 0:09:16.400000 You can see the results that are found in the next slide. 0:09:16.400000 --> 0:09:20.660000 Along the bottom right, we can see total number of lines, which is not 0:09:20.660000 --> 0:09:24.380000 much as there are some systems that might reach more than a million entries. 0:09:24.380000 --> 0:09:28.520000 So, you really need a good tool filter. 0:09:28.520000 --> 0:09:32.080000 Here, we can see the filter that's been applied. 0:09:32.080000 --> 0:09:36.840000 There are other types of filters we can use, like the date filters, which 0:09:36.840000 --> 0:09:39.920000 gives us the option to be even more specific. 0:09:39.920000 --> 0:09:45.700000 We can also export this into an Excel file. 0:09:45.700000 --> 0:09:53.540000 We can see that it's exporting to an Excel file. 0:09:53.540000 --> 0:10:01.780000 This is great if you want to analyze it in an Excel sheet. 0:10:01.780000 --> 0:10:05.960000 In this video, we covered how to create a timeline using Slootkit, as 0:10:05.960000 --> 0:10:09.900000 well as how to use Timeline Explorer, which is a very useful tool to analyze 0:10:09.900000 --> 0:10:16.620000 your timelines. And this concludes our video lesson on creating a timeline 0:10:16.620000 --> 0:10:20.560000 using TSK and Introduction to Timeline Explorer. 0:10:20.560000 --> 0:10:22.380000 As always, thanks for joining us.