A case study in new generation timeline tools (an OSDFCon presentation)


This week’s featured speaker in our OSDFCon blog series is Daniel White, a security engineer at Google. Daniel is offering both a lecture at OSDFCon and a half-day workshop the day before the conference, and he shared more with us about his topic and the importance of timeline data:

BT: Your talk topic this year is “New generation timeline tools: A case study.” What drove you to develop the Plaso and Timesketch forensic tools?

DW: I’ve found timeline analysis to be a useful way to approach forensic analysis in many or most cases I work. Even when there’s only a very vague indication of something strange happening, there’s usually a time indicator to work from. Users can usually tell you when a thing started “acting funny” or when it was left unattended.

Unfortunately, there’s a lot of things happening on a modern computing device, and weeding out all the irrelevant events is a pretty arduous process. That’s why I’ve been developing some new techniques and processes to make this faster and easier.

BT: What is the 2-line reason why a practitioner should attend your talk — what will they learn?

DW: If “when something happened” is ever important in your investigation, you should come along! You’ll learn how to generate and investigate forensic timelines more quickly and comprehensively.

BT: What brought you into the digital forensics domain?

DW: I was the “security guy” for a university, which necessitated developing a lot of sysadmin knowledge, and investigating a fair few suspicious occurrences. I enjoyed the problem solving, and the process of investigation, so here I am!

BT: What is your favorite aspect of digital forensics?

DW: I enjoy the puzzle solving aspect of an investigation, and get a lot of satisfaction from the feeling of having created clarity out of confusion.

BT: How do open source digital forensics tools make your research and/or your investigative work easier?

DW: The flexibility of open source tools is what makes them the most useful. Being able to come up with new uses for tools, and quickly put together scripts that chain different open source utilities together, means that you have a lot more options to respond to different incidents.

Compared to closed source tools, the inspectability of open source tools makes them more trustworthy. You can actually check for yourself why a tool is telling you something, rather than having to just “trust the magic”.

BT: Besides presenting, what are you looking forward to most about OSDFCon 2015?

DW: It’s always interesting to hear the problems and solutions other digital forensic practitioners encounter. I focus mainly on intrusion cases, so getting the perspective of those doing research or investigating corporate and criminal wrongdoing is always a highlight.

BT: What’s next for your software?

DW: So many things. I’m going to focus on helping users analyze the vast quantity of timeline data that Plaso already produces, and some of the other authors are working on mining some specific filesystem artifacts and scaling Plaso so that the timeline generation process is super fast.

Daniel’s Plaso Parser Workshop is one of two pre-conference optional workshops you can sign up for. Register here for the workshop being offered Tuesday afternoon, October 27, and for OSDFCon October 28, where you’ll see Daniel’s case study. We look forward to seeing you!