MoVP II – 2.3 – Creating Timelines with Volatility

Published May 23, 2013

Jamie Levy

A common computer forensic investigative methodology is creating timelines. Timelines help establish events that took place on the machine prior to investigation. There are various artifacts in Windows memory that can be used to construct a timeline. This blogpost will cover timeline creation and usage.

Creating a Timeline

The following plugins have the ability to output in Sleuthkit bodyfile format:

The output of these plugins can be combined in order to create a timeline of memory artifacts. Two of these plugins (mftparser and shellbags) are more specific in their output and only include artifacts that are described by their names. The third plugin, timeliner, includes various artifacts such as:

Processes
Sockets
Eventlogs (XP/2003 only)
PE Timestamps (modules/DLLs/Processes)
UserAssist
ShimCache
Registry LastWrite Timestamps (optional)

In order to create a timeline using all of the above plugins, use the following commands:

$ ./vol.py --plugins=contrib/plugins -f [sample] timeliner --output=body --output-file=timeliner.txt -R

$ ./vol.py -f [sample] mftparser -C --output=body --output-file=mft.txt
$ ./vol.py -f [sample] shellbags --output=body --output-file=shellbags.txt

Then you can put it all together:

$ cat timeliner.txt mft.txt shellbags.txt >> bodyfile.txt
$ mactime -b bodyfile.txt -d > mactime.txt

Analyzing an Example Timeline

We’ll look at a generated timeline from a sample that was obtained from the Forensic Challenge for the
GRRCon conference (http://t.co/m0JCvrnV) by
Jack Crook (twitter: @jackcr website: http://www.handlerdiaries.com/).

There is also a previous writeup on our blog: http://volatility-labs.blogspot.com/2012/10/solving-grrcon-network-forensics.html by MHL and Andrew.

We are able to find the exploit file from the timeline:

$ grep -i
“.pf” grrcon_mft |egrep -i ‘(doc|ppt|xls|pdf)’ | grep -i exe

(FN) 0x14c42000|[MFT FILE_NAME] WINDOWSPrefetchSWING-MECHANICS.DOC[1].EXE-013CEA10.pf|12024|—a——-I—|0|0|512|1335578362|1335578362|1335578362|1335578362

Now we can search for events near when the exploit happened:

$ mactime -b grrcon_body.txt –d | less –I

To search in the document type:

/swing

Now we should see:

Fri Apr 27 2012
21:59:22,512,macb,—a——-I—,0,0,12024,[MFT FILE_NAME] WINDOWSPrefetchSWING-MECHANICS.DOC[1].EXE-013CEA10.pf

Fri Apr 27 2012
21:59:22,512,macb,—a——-I—,0,0,12024,[MFT FILE_NAME]
WINDOWSPrefetchSWING-~1.PF

Fri Apr 27 2012
21:59:22,512,macb,—a——-I—,0,0,12024,[MFT STD_INFO]
WINDOWSPrefetchSWING-~1.PF

Fri Apr 27 2012
21:59:22,352,macb,—a———–,0,0,12026,[MFT FILE_NAME]
WINDOWSsystem32svchosts.exe

Fri Apr 27 2012
21:59:22,352,m..b,—a———–,0,0,12026,[MFT STD_INFO]
WINDOWSsystem32svchosts.exe

Fri Apr 27 2012
21:59:22,344,.a..,—a———–,0,0,23251,[MFT STD_INFO]
WINDOWSsystem32msvfw32.dll

Fri Apr 27 2012
21:59:22,352,.a..,—a———–,0,0,479,[MFT STD_INFO]
WINDOWSsystem32avicap32.dll

Scrolling down we see someone trying to figure
out the network:

Fri Apr 27 2012
21:59:49,488,mac.,—a——-I—,0,0,11854,[MFT STD_INFO] WINDOWSPrefetchIPCONF~1.PF

Fri Apr 27 2012
21:59:49,360,.a..,—a———–,0,0,23434,[MFT STD_INFO] WINDOWSsystem32ipconfig.exe

Fri Apr 27 2012
21:59:56,472,macb,—a——-I—,0,0,12018,[MFT FILE_NAME] WINDOWSPrefetchNET.EXE-01A53C2F.pf

Fri Apr 27 2012
21:59:56,472,macb,—a——-I—,0,0,12018,[MFT FILE_NAME] WINDOWSPrefetchNETEXE~1.PF

Fri Apr 27 2012
21:59:56,472,macb,—a——-I—,0,0,12018,[MFT STD_INFO] WINDOWSPrefetchNETEXE~1.PF

Fri Apr 27 2012
21:59:56,344,.a..,—a———–,0,0,23222,[MFT STD_INFO] WINDOWSsystem32net.exe

Fri Apr 27 2012
22:00:06,344,.a..,—a———–,0,0,23131,[MFT STD_INFO] WINDOWSsystem32ping.exe

And a bit below that we see the creation of a folder called
“systems” and then some new files:

Fri Apr 27 2012 22:01:03,472,macb,————-D-,0,0,12029,[MFT FILE_NAME] WINDOWSsystem32systems

Fri Apr 27 2012
22:01:03,472,…b,—————,0,0,12029,[MFT STD_INFO] WINDOWSsystem32systems

Fri Apr 27 2012
22:01:03,832,m.c.,—————,0,0,29,[MFT STD_INFO] WINDOWSsystem32

Fri Apr 27 2012
22:01:07,832,.a..,—————,0,0,29,[MFT STD_INFO] WINDOWSsystem32

Fri Apr 27 2012
22:01:43,416,macb,—a———–,0,0,12030,[MFT FILE_NAME]
WINDOWSsystem32systemsf.txt

Fri Apr 27 2012
22:01:43,416,macb,—a———–,0,0,12030,[MFT STD_INFO]
WINDOWSsystem32systemsf.txt

Fri Apr 27 2012
22:01:54,368,macb,—a———–,0,0,12031,[MFT FILE_NAME] WINDOWSsystem32systemsg.exe

Fri Apr 27 2012
22:01:54,368,m.cb,—a———–,0,0,12031,[MFT STD_INFO]
WINDOWSsystem32systemsg.exe

Fri Apr 27 2012
22:02:05,368,macb,—a———–,0,0,12032,[MFT FILE_NAME]
WINDOWSsystem32systemsp.exe

Fri Apr 27 2012
22:02:05,368,…b,—a———–,0,0,12032,[MFT STD_INFO]
WINDOWSsystem32systemsp.exe

Fri Apr 27 2012
22:02:06,368,m…,—a———–,0,0,12032,[MFT STD_INFO]
WINDOWSsystem32systemsp.exe

Fri Apr 27 2012
22:02:17,368,macb,—a———–,0,0,12033,[MFT FILE_NAME]
WINDOWSsystem32systemsr.exe

Fri Apr 27 2012
22:02:17,368,m.cb,—a———–,0,0,12033,[MFT STD_INFO]
WINDOWSsystem32systemsr.exe

We can use this to `grep` for files in the “systems” folder:

$ grep -i systems grrcon_body.txt | grep -i exe | awk ‘{print $4}’

WINDOWSsystem32systemsw.exe|11978|—a———–|0|0|360|1335578558|1335578558|1335578558|1335578558

WINDOWSsystem32systemsw.exe|11978|—a———–|0|0|360|1335578559|1335578559|1335578559|1335578558

WINDOWSsystem32systemsg.exe|12031|—a———–|0|0|368|1335578514|1335578514|1335578514|1335578514

WINDOWSsystem32systemsg.exe|12031|—a———–|0|0|368|1335579014|1335578514|1335578514|1335578514

WINDOWSsystem32systemsp.exe|12032|—a———–|0|0|368|1335578525|1335578525|1335578525|1335578525

WINDOWSsystem32systemsp.exe|12032|—a———–|0|0|368|1335579196|1335578526|1335578698|1335578525

WINDOWSsystem32systemsr.exe|12033|—a———–|0|0|368|1335578537|1335578537|1335578537|1335578537

WINDOWSsystem32systemsr.exe|12033|—a———–|0|0|368|1335578939|1335578537|1335578537|1335578537

WINDOWSsystem32systemssysmon.exe|12034|—a———–|0|0|344|1335578546|1335578546|1335578546|1335578546

WINDOWSsystem32systemssysmon.exe|12034|—a———–|0|0|344|1335579140|1335578547|1335578547|1335578546

[snip]

We have prefetch files that show that some of these executables ran and we know what time they ran from the timestamps associated with them:

Fri Apr 27 2012 22:03:03 472 macb —a——-I— 0 0
12035 [MFT FILE_NAME] WINDOWSPrefetchW.EXE-0A1E603F.pf

472 macb
—a——-I— 0 0 12035
[MFT FILE_NAME] WINDOWSPrefetchWEXE-0~1.PF

472 …b
—a——-I— 0 0 12035
[MFT STD_INFO] WINDOWSPrefetchWEXE-0~1.PF

Fri Apr 27 2012 22:03:28 472 macb —a——-I— 0 0
12036 [MFT FILE_NAME] WINDOWSPrefetchG.EXE-24E91AA8.pf

472 macb
—a——-I— 0 0 12036
[MFT FILE_NAME] WINDOWSPrefetchGEXE-2~1.PF

472 macb
—a——-I— 0 0 12036
[MFT STD_INFO] WINDOWSPrefetchGEXE-2~1.PF

Fri Apr 27 2012 22:04:18 472 mac. —a——-I— 0 0
12035 [MFT STD_INFO] WINDOWSPrefetchWEXE-0~1.PF

Fri Apr 27 2012 22:05:03 472 macb —a——-I— 0 0
12040 [MFT FILE_NAME] WINDOWSPrefetchP.EXE-04500029.pf

472 macb
—a——-I— 0 0 12040
[MFT FILE_NAME] WINDOWSPrefetchPEXE-0~1.PF

472 …b
—a——-I— 0 0 12040
[MFT STD_INFO] WINDOWSPrefetchPEXE-0~1.PF

Fri Apr 27 2012 22:08:46 608 mac. rh————- 0 0
10850 [snip]

[MFT FILE_NAME] WINDOWSPrefetchR.EXE-19834F9B.pf

472 macb
—a——-I— 0 0 12049
[MFT FILE_NAME] WINDOWSPrefetchREXE-1~1.PF

472 macb
—a——-I— 0 0 12049
[MFT STD_INFO] WINDOWSPrefetchREXE-1~1.PF

Fri Apr 27 2012 22:09:01 472 mac. —a——-I— 0 0
12049 [MFT STD_INFO] WINDOWSPrefetchREXE-1~1.PF

[snip]

We can also prove that these executables ran by examining the prefetch hash. You can use a python script I wrote a while back for this:

$ python prefetch_hash.py -x -p
“deviceharddiskvolume1WINDOWSsystem32systemsr.exe”

R.EXE-19834F9B.pf

$ python prefetch_hash.py -x -p
“deviceharddiskvolume1WINDOWSsystem32systemsp.exe”

P.EXE-4500029.pf

$ python prefetch_hash.py -x -p
“deviceharddiskvolume1WINDOWSsystem32systemsw.exe”

W.EXE-A1E603F.pf

$ python prefetch_hash.py -x -p
“deviceharddiskvolume1WINDOWSsystem32systemsg.exe”

G.EXE-24E91AA8.pf

We can see staging taking place
here along with documents:

Fri Apr 27 2012 22:07:10,456,macb,————-D-,0,0,12041,[MFT FILE_NAME] WINDOWSsystem32systems1

Fri Apr 27
2012 22:07:10,456,…b,—————,0,0,12041,[MFT STD_INFO]
WINDOWSsystem32systems1

Fri Apr 27
2012 22:07:38,432,macb,—a———–,0,0,12044,[MFT FILE_NAME]
WINDOWSsystem32systems1CONFID~3.PDF

Fri Apr 27
2012 22:07:38,432,macb,—a———–,0,0,12044,[MFT FILE_NAME]
WINDOWSsystem32systems1confidential3.pdf

Fri Apr 27
2012 22:07:38,432,macb,—a———–,0,0,12044,[MFT STD_INFO]
WINDOWSsystem32systems1CONFID~3.PDF

Fri Apr 27
2012 22:07:44,432,macb,—a———–,0,0,12045,[MFT FILE_NAME]
WINDOWSsystem32systems1CONFID~4.PDF

Fri Apr 27
2012 22:07:44,432,macb,—a———–,0,0,12045,[MFT FILE_NAME]
WINDOWSsystem32systems1confidential4.pdf

Fri Apr 27
2012 22:07:44,432,macb,—a———–,0,0,12045,[MFT STD_INFO]
WINDOWSsystem32systems1CONFID~4.PDF

Fri Apr 27
2012 22:07:48,432,macb,—a———–,0,0,12046,[MFT FILE_NAME]
WINDOWSsystem32systems1CO20EF~1.PDFFri Apr 27 2012
22:07:48,432,macb,—a———–,0,0,12046,[MFT FILE_NAME]
WINDOWSsystem32systems1confidential5.pdf

Fri Apr 27
2012 22:07:48,432,macb,—a———–,0,0,12046,[MFT STD_INFO]
WINDOWSsystem32systems1CO20EF~1.PDF

We’ll consider the exfiltration
complete at the end of a file transfer- in this case it is an ftp connection:

Fri Apr 27
2012 22:10:14,0,macb,—————,0,0,-1,[SOCKET] PID:4 172.16.150.20:1365 6(TCP) offset: 0x0x82228518

Fri Apr 27
2012 22:10:14,368,.a..,—a———–,0,0,12031,[MFT STD_INFO]
WINDOWSsystem32systemsg.exe

Fri Apr 27
2012 22:11:03,344,.a..,—a———–,0,0,1818,[MFT STD_INFO]
WINDOWSsystem32driversetcservices

Fri Apr 27
2012 22:11:03,344,.a..,—a———–,0,0,22706,[MFT STD_INFO] WINDOWSsystem32ftp.exe

Fri Apr 27
2012 22:11:13,472,macb,—a——-I—,0,0,12052,[MFT FILE_NAME] WINDOWSPrefetchFTP.EXE-0FFFB5A3.pf

Fri Apr 27
2012 22:11:13,472,macb,—a——-I—,0,0,12052,[MFT FILE_NAME] WINDOWSPrefetchFTPEXE~1.PF

Fri Apr 27 2012 22:11:13,472,macb,—a——-I—,0,0,12052,[MFT STD_INFO] WINDOWSPrefetchFTPEXE~1.PF

The following documents in red were exfiltrated:

Fri Apr 27 2012 22:07:38 432 macb —a———– 0 0
12044 [MFT FILE_NAME]
WINDOWSsystem32systems1CONFID~3.PDF

432 macb
—a———– 0 0 12044
[MFT FILE_NAME] WINDOWSsystem32systems1confidential3.pdf

432 macb
—a———– 0 0 12044
[MFT STD_INFO] WINDOWSsystem32systems1CONFID~3.PDF

Fri Apr 27 2012 22:07:44 432 macb —a———– 0 0
12045 [MFT FILE_NAME] WINDOWSsystem32systems1CONFID~4.PDF

432 macb
—a———– 0 0 12045
[MFT FILE_NAME] WINDOWSsystem32systems1confidential4.pdf

432 macb
—a———– 0 0 12045
[MFT STD_INFO] WINDOWSsystem32systems1CONFID~4.PDF

Fri Apr 27 2012 22:07:48 432 macb —a———– 0 0
12046 [MFT FILE_NAME] WINDOWSsystem32systems1CO20EF~1.PDF

432 macb
—a———– 0 0 12046
[MFT FILE_NAME] WINDOWSsystem32systems1confidential5.pdf

432 macb
—a———– 0 0 12046
[MFT STD_INFO] WINDOWSsystem32systems1CO20EF~1.PDF

It may be a little difficult to tell just from the timeline, but it looks like
these files may have been compressed using RAR and ftp’d out:

Fri Apr 27 2012 22:07:44 [snip]

432 macb
—a———– 0 0 12046
[MFT FILE_NAME] WINDOWSsystem32systems1confidential5.pdf

432 macb
—a———– 0 0 12046
[MFT STD_INFO] WINDOWSsystem32systems1CO20EF~1.PDF

Fri Apr 27 2012 22:08:46 608 mac. rh————- 0 0
10850 [MFT STD_INFO] Documents
and SettingsbingeAPPLIC~1

344 macb
————-D- 0 0 12048
[MFT FILE_NAME] Documents and
SettingsbingeApplication DataWinRAR

344 m.cb
————— 0 0 12048
[MFT STD_INFO] Documents and
SettingsbingeApplication DataWinRAR

472 macb —a——-I—
0 0 12049
[MFT FILE_NAME] WINDOWSPrefetchR.EXE-19834F9B.pf

472 macb
—a——-I— 0 0 12049
[MFT FILE_NAME] WINDOWSPrefetchREXE-1~1.PF

472 macb —a——-I—
0 0 12049
[MFT STD_INFO] WINDOWSPrefetchREXE-1~1.PF

Fri Apr 27 2012 22:08:59 360 .a.. -hsa———– 0 0
10905 [MFT STD_INFO] Documents
and SettingsbingeApplication Datadesktop.ini

368 .a.. —a———– 0 0
12033 [MFT STD_INFO] WINDOWSsystem32systemsr.exe

344 .a..
————— 0 0 12048
[MFT STD_INFO] Documents and SettingsbingeApplication
DataWinRAR

Fri Apr 27 2012 22:09:01 472 mac. —a——-I— 0 0
12049 [MFT STD_INFO] WINDOWSPrefetchREXE-1~1.PF

Fri Apr 27 2012 22:10:14 0 macb ————— 0 0
-1 [SOCKET] PID:4 172.16.150.20:1365 6(TCP) offset: 0x0x82228518

368 .a..
—a———– 0 0 12031
[MFT STD_INFO] WINDOWSsystem32systemsg.exe

Fri Apr 27 2012 22:11:03 344 .a.. —a———– 0 0
1818 [MFT STD_INFO] WINDOWSsystem32driversetcservices

344 .a..
—a———– 0 0 22706
[MFT STD_INFO] WINDOWSsystem32ftp.exe

Fri Apr 27 2012 22:11:13 472 macb —a——-I— 0 0
12052 [MFT FILE_NAME] WINDOWSPrefetchFTP.EXE-0FFFB5A3.pf

472 macb
—a——-I— 0 0 12052
[MFT FILE_NAME] WINDOWSPrefetchFTPEXE~1.PF

472 macb
—a——-I— 0 0 12052
[MFT STD_INFO] WINDOWSPrefetchFTPEXE~1.PF

Conclusion

As we can see there is value in creating timelines from memory artifacts. In this case we can see when the attacker first got on the machine, when they ran various tools, when they took things from the machine and what they took. We hope you enjoyed this post and that you will find the timelining capability useful in your investigations! If you have any questions, please feel free to reach out to me by email or by twitter (@gleeda)

Return to Blog