Overview

Timelines are useful in digital forensics for identifying when activity occurred on a computer and are mainly used for data reduction or identifying specific state changes that have occurred on a computer. Amazingly, this broad usage helps answer a lot of questions different investigators can have. That’s why we recently added a timeline feature to Autopsy in the 3.0.5 release. This feature will evolve over time and it is still considered beta, but currently it collects file system times, displays the activity in bar charts, and allows you to view the file contents as text, image, or hex.

The main reason that it is still beta is that we need to make some improvements with memory handling. It loads the entire timeline into memory and that doesn’t scale for large numbers of events. We’ll fix that soon though. We’ll also be expanding the feature to pull in data from other data sources, such as web history, log files, and the registry.

We hope the open source community will find our initial implementation helpful in their investigations and would love to have some conversations with the community about it, so please let us know if/how you end up using it by engaging at sleuthkit.org.

Using the Timeline Feature in Autopsy 3.0.5+

Once you’ve got Autopsy 3.0.5 or greater installed (sleuthkit.org/autopsy) and have added a disk image to a case, you can access the timeline through the Tools menu item and selecting “Make Timeline (beta)”.

autopsy-sleuth-kit-make-timeline

Behind the scenes, it will make a Sleuth Kit body file and run mactime to sort the data into a text timeline. Autopsy then parses the “mactime” output and displays it in graphs.

1autopsy-sleuth-kit-timeline

Initially, the graphs show the number of events per year. Selecting a year shows bars for each month in the year. Selecting a month will then show the number of events in each day. The bottom part of the screen allows you to see all of the files that have activity and the contents of each file. From this view, you can still use the thumbnail view to see thumbnails of all images on a given day and you can play videos as well.

You can also right click on a file in the lower left and choose “View File In Directory” to bring you back to the parent folder in the main Autopsy interface. This allows you to identify a suspicious file from the timeline view and then see what else is in the folder.

Use Case: Timeline Analysis in Intrusion Investigations

In time critical investigations such as those that take place in a post-breach cyber forensics investigation, it is important to be able to quickly focus on the relevant data. One way of doing this is through the use of file system timeline analysis. There are two big ways of using timelines: macro and micro.

At the macro-level, timelines are useful for seeing the big picture of how a computer was used. Often, the investigator’s first encounter with a computer could be after it has been compromised and he or she may not know what is normal. By looking at the high-level activity for the past month, they may be able to identify what directories had activity. This helps to determine what user accounts are used and what applications are used. This can be correlated with data in the registry.

At the micro-level, timelines are useful to seeing all of the places that had activity in a given time range when intrusion activity occurred (assuming that the file system time stamps were not modified by the attacker). This can be useful when you have a time frame from an external data source (such as network packets or IDS) or when you want to see all of the places that the intruder placed files.

Timelines are useful for both live analysis (when the suspected computer is still running) and dead analysis (when the suspected computer has been powered off).

For more information or to download Autopsy and the graphical timeline feature for free, visit sleuthkit.org/autopsy.

Sleuth-Kit-Autopsy-CTA

 

[rb_sharing facebook=”true” twitter=”true” google=”true” pinterest=”true” width=”1/1″ el_position=”first last”]