読者です 読者をやめる 読者になる 読者になる

アンタイ・フォレンジック伝道者の独り言

基本的にはデジタル・フォレンジックの技術について取り扱っていますが、記載内容には高確率で誤りが含まれる可能性があります。

Log2timeline.py(Plaso)によるタイムラインの作成(26)

フォレンジック

Log2timeline(Plaso)のパーサモジュールではなく、出力結果の取り扱いについて確認しておきたいと思います。Plaso には psort.py が提供されており、Plasoストレージを対象にソート処理などを行う事ができます。これはすでに試してみていますので、以下 l2t_process のお話になります。

 

これまでLog2timelineでは出力形式として CSV を指定してきました。これをそのまま Excel などに取り込みフィルタをかける案もあると思いますが、L2t_Process ツールを使うことで、重複の排除、日付による絞り込みを行う事ができます。

日付による絞り込みでは、指定日付以降・指定日付範囲でスコープを絞る事が可能です。

また、l2t_processコマンドのヘルプを確認すると、幾つか興味深い機能が提供されている事が分かります。

  1. 読み込み時の日付フォーマットをMM-DD-YYYYではなくyyyy-mm-ddで読む形式に変更する(-y)
  2. Keywordファイルで指定した文字列に一致したものだけを出力対象とする(-k)
  3. ホワイトリストとして指定した文字列を出力結果から除外する(-w)
  4. Timestompツールの利用を推測(ミリ秒の値がゼロになっている)して結果を含めるか除外するかを指定(-i, -e)

 

以下 SIFT 3.0 に含まれている l2t_process のヘルプになります。残念ながら posrt.py にある出力段階でのタイムゾーンの変更(例えば UTC⇒JST)は出来ないようですね。

root@siftworkstation:/home/sansforensics# l2t_process -h

Usage:

    l2t_process [OPTIONS] -b CSV_FILE [DATE_RANGE]

 

    Where DATE_RANGE is MM-DD-YYYY or MM-DD-YYYY..MM-DD-YYYY

 

Options:

    -b|-body CSVFILE

            The name of the file that contains the CSV output produced by

            log2timeline.

 

    -t|-tab The default input to the tool is a file that was created using

            the CSV output module. However, the TAB module can also be used,

            however you will need to tell the tool that the file is TAB

            delimited instead of comma separated, using this option.

 

    -i|-include

            The tool detects possible timestomping activity against changes

            made to MFT records (millisecond is of zero value). This option

            makes the tool add lines that contain suspicious entries even

            though they fall outside the supplied date filter.

 

    -e|-exclude

            The tool detects possible timestomping activity against changes

            made to MFT records (millisecond is of zero value). If this

            option is supplied the tool will not ask the user to add the

            lines that are suspicous yet are outside the supplied date

            range.

 

    -v|-verbose

            Making the script produce mode debug information (be more

            verbose)

 

    -y      The default format for the date variable is mm-dd-yyyy, however

            this default behavior can be changed with this option so the

            format read is yyyy-mm-dd.

 

    -V|-Version

            Print the tools version number and exit.

 

    -k|-keyword FILE

            Include a keyword file that contains one keyword per line. The

            tool will read the keyword file line-by-line, and then compare

            each line in the CSV file against each of those keywords. The

            tool will only print out those lines that match the keywords.

 

            The words inside the keyword list are case insensitive.

 

    -w|-whitelist FILE

            Include a keyword file that contains one keyword per line. The

            file has the same format as the keyword file, and does the same

            thing, except that this file lists up keywords of words that

            should not be contained in the timeline. That is to say, this

            file defines the "known good" or whitelisted lines that should

            be kept out of the timeline.

 

            The tool starts by comparing the known keywords before

            processing the whitelist, meaning that keywords are first

            filtered out before the whitelist is processed. So the whitelist

            can be used in conjunction to the blacklist to narrow down the

            scope even more.

 

            It can also be used to remove known "good entries" or entries

            that are not relevant to the current investigation out of the

            timeline.

 

    -s|-scatter FILE

            This only makes sense when the timeline contains records from

            the MFT parser (NTFS filesystem). Then the tool will take the

            creation time of each file that resides in the WINDOWS/System32

            directory and scatter plot it against the MFT number of that

            file. The tool will both plot the $FN and $SI creation time of

            the file.

 

            This can be useful during malware investigations, to quickly

            find files that might have been added to the system32 folder.

            When the operating system in installed, and during patching

            there are usually several files written to the system32 folder

            at once and since MFT's are associated sequentially there should

            be clear association between MFT numbers and creation time.

            However a typical malware does not create several files in the

            system32 directory, a typical malware tries to hide and does so

            by creating as few files as possible. That makes it possible to

            view a scatter plot, showing the relationship between creation

            time and MFT numbers to quickly spot those outliers or

            anomalies. This technique can therefore be used for data

            reduction.

 

            This option creates a simple gnuplot data file and a gnuplot

            script that can be used to create a simple scatter plot to see

            those outliers. It will also make an attempt at identifying

            those outliers with a simple algorithm. By default the tool

            treats the entire dataset as a single slice and tries to find

            the obvious outliers, however that behaviour can be changed

            using the -m or --multi option to tell the tool to try to split

            the dataset into slices.

 

            The FILE portion should be the name of the output file the tool

            writes to, it should only contain ASCII letters: a-z, A-Z,

            underscore (_) and numbers 0-9, no dot. The files created will

            be: FILE.dat and FILE.cmd

 

            Then the tool gnuplot has to be run, like:

 

            gnuplot FILE.cmd

 

            Which will produce a file called FILE.png, containing the

            scatter plot.

 

            If the tool detects any outliers in the dataset then the file

            FILE_outliers.txt will be created. That file will contain a list

            of all those files that the tool detected as outliers.

 

    -m|--multi

            This option is only available when used with the -s FILE, to

            create scatter plot of the creation time vs. $MFT entry numbers.

            By default the tool treats the entire dataset as a single slice

            and tries to detect outliers in it. Since the relationship

            between $MFT entry numbers and creation time isn't a simple

            line, in reality it consists of several straight lines, there

            will be many false negatives when treating the dataset as a

            single slice. Therefore the option of trying to split the

            dataset into multiple smaller slices, and calculating the

            outliers for each one of those has been provided.

 

            This is a simple approach to this problem, and by no means

            solves the issue at hand. This method does produce lots of false

            positives (and it could also miss some, or produce false

            negatives). However it will catch many of the items that get

            missed by the first attempt.

 

            Perhaps the best approach is to start with the default behaviour

            of the tool, examine the graph manually. And if there are some

            outliers in the dataset that are perhaps aligned with another

            line, yet are obvious outliers, then to re-run the tool using

            this option to try to see if it gets detected.

 

    -h|-help

            Print this help message

 

    [DATE_RANGE]

            The date range is formulated as one of the following:

 

            MM-DD-YYYY      All dates from the date supplied date and

                            forward from them. That is to say, the date

                            defines the starting date and all dates after

                            that date will be part of the selection.

 

            MM-DD-YYYY..MM-DD-YYYY

                            This is a range, so all events that fall within

                            the boundaries set by these two dates will be

                            part of the selection.