Sitio para la difusión de conocimiento informático. 

Twitter RSS

Log2timeline

Qué es log2timeline?

Es una herramienta escrita en perl, cuyo propósito principal es analizar varios archivos de logs y artefactos del sistema, para producir una línea de tiempo que pueda ser analizada por investigadores y analistas forenses. Si bien está anunciado el fin de este proyecto y su reemplazo por “Plaso” (http://plaso.kiddaland.net/), en esta publicación veremos como instalar y usar esta herramienta que aun tiene mucho para dar 😉

Esta herramienta está escrita en Perl para Linux, pero ha sido testeada usando Mac OS X (10.5.7+ and 10.6.+). Parte de esta herramienta debería funcionar nativamente en Windows (habiendo instalado ActiveState Perl), mientras que otras partes de esta herramienta necesitan ser modificadas para funcionar correctamente en Windows. Fue escrita por written Kristinn Gudjonsson quien publicó el siguiente Gold Paper, en el que se puede ver en más detalle el uso de esta herramienta “http://www.sans.org/reading-room/whitepapers/logging/mastering-super-timeline-log2timeline-33438”.

A continuación veremos como instalar esta herramienta en Linux (debian), y unos ejemplos prácticos de uso.

Índice:
1.1 Instalando log2timeline.
2.1 Ejemplos de Uso.
3.1 Paginas MAN.

 

1.1 Instalando log2timeline

1) Descargamos la herramienta del sitio oficial “wget log2timeline.net/files/log2timeline_0.64.tgz”. En caso de no estar roto el link, usar este otro “https://log2timeline.googlecode.com/files/log2timeline_0.65.tgz”.

2) Descomprimimos el tar.gz:
– gunzip log2timeline_0.64.tgz
– tar -xvf log2timeline_0.64.tar

3) Vemos las dependencias que debemos resolver según nuestra instalación:
– cd log2timeline
– perl Makefile.PL

En mi caso, debo resolver las siguientes dependencias:

Warning: prerequisite Archive::Zip 1.18 not found.
Warning: prerequisite Carp::Assert 0 not found.
Warning: prerequisite DBD::SQLite 0 not found.
Warning: prerequisite DBI 1.52 not found.
Warning: prerequisite Data::Hexify 0 not found.
Warning: prerequisite Date::Manip 0 not found.
Warning: prerequisite DateTime 0.41 not found.
Warning: prerequisite DateTime::Format::Strptime 0 not found.
Warning: prerequisite DateTime::TimeZone 0 not found.
Warning: prerequisite Digest::CRC 0.14 not found.
Warning: prerequisite File::Mork 0.3 not found.
Warning: prerequisite HTML::Parser 0 not found.
Warning: prerequisite HTML::Scrubber 0 not found.
Warning: prerequisite Image::ExifTool 0 not found.
Warning: prerequisite LWP::UserAgent 0 not found.
Warning: prerequisite Mac::PropertyList 0 not found.
Warning: prerequisite Net::Pcap 0 not found.
Warning: prerequisite NetPacket::Ethernet 0 not found.
Warning: prerequisite NetPacket::IP 0 not found.
Warning: prerequisite NetPacket::TCP 0 not found.
Warning: prerequisite NetPacket::UDP 0 not found.
Warning: prerequisite Params::Validate 0 not found.
Warning: prerequisite Parse::Win32Registry 0 not found.
Warning: prerequisite XML::LibXML 0 not found.
Warning: prerequisite XML::LibXML::Common 0 not found.

Para esto usaremos CPAN. Pero antes de ingresar a CPAN, debemos verificar que tenemos instalado lo necesario para poder compilar las dependencias. Para eso instalamos “make” y “gcc”:
– apt-get install make gcc

Luego ejecutamos el comando “cpan”, el cual nos dejará dentro de la herramienta de gestión de paquetes de perl. Nos va a solicitar configurar los parámetros necesarios para el uso de CPAN, podemos dejar que elija todo de forma automática.

Comenzamos a instalar las dependencias mediante el comando “install”:
install YAML
install Archive::Zip
install Carp::Assert
install DBI
install DBD::SQLite
install Data::Hexify
install Date::Manip
install DateTime
install DateTime::Format::Strptime
install DateTime::TimeZone
install Digest::CRC
install File::Mork
install HTML::Parser
install HTML::Scrubber
install Image::ExifTool
install LWP::UserAgent
install Mac::PropertyList
install Params::Validate
install Parse::Win32Registry
install NetPacket::Ethernet
install NetPacket::IP
install NetPacket::TCP
install NetPacket::UDP
install Net::Pcap
install XML::LibXML
install XML::LibXML::Common

4) Las sigueintes dependencias las resolví con APT:
– Net::Pcap -> apt-get install libnet-pcap-perl
– XML::LibXML -> apt-get install libxml-libxml-simple-perl

5) Volvemos a verificar que las dependencias estén resueltas ejecutando nuevamente:
– perl Makefile.PL

6) Si ya no hay dependencias sin resolver, comenzamos a instalar log2timeline:
make
make install

 

2.1 Ejemplos de Uso

Los siguientes son ejemplos prácticos de uso para los artefactos del sistema más comunes a analizar:

1) Internet Explorer:
log2timeline -z localtime -m username -f iehistory /path/to/index.dat >> bodyfile

2) FireFox:
log2timeline -z localtime -m username -f firefox3 /path/to/places.sqlite >> bodyfile

3) Recycle Bin:
log2timeline -z localtime -m username -f recycler /path/to/RECYCLER/{CID}/INFO2 >> bodyfile
log2timeline -z localtime -m username -f recycler /path/to/RECYCLER/{CID}/$I###### >> bodyfile (W7/Vista)

4) Userassist:
log2timeline -z localtime -m username -f oxml /path/to/Office2007.docx >> bodyfile

5) Archivos Word de Office 2007:
log2timeline -z localtime -f oxml /path/to/Office2007.docx >> bodyfile

6) Accesos Directos(.lnk):
log2timeline -z localtime -m username -f win_link filename.lnk >> bodyfile

7) Archivos PCAP:
log2timeline -z localtime -m username -f pcap /path/to/Network.pcap >> bodyfile

8) Ordenamos el archivos que contiene toda la información necesaria para crear la línea de tiempo la cual nos permitirá comprender en escenario en el que se dió el incidente. Para esto usaremos la herramienta “mactime”, a la cual le debemos pasar la zona horaria correspondiente a al del sistema del cual se está extrayendo la información analizada:

– mactime –b bodyfile –z “timezone” > supertimeline.csv

 

3.1 Pagina MAN

Name
log2timeline
– a log file parser that produces a body file used to create timelines (for forensic investigations).

SYNOPSIS
log2timeline
[OPTIONS] [-f FORMAT] [-z TIMEZONE] [-o OUTPUT MODULE] [-w BODYFILE] LOG_FILE/LOG_DIR [–] [FORMAT FILE OPTIONS]

OPTIONS
-s|-skew TIME

Time skew of original machine. The format of the variable TIME is: X | Xs | Xm | Xh, where X is a integer and s represents seconds, m minutes and h hours (default behaviour is seconds)
-m TEXT
Prepend the filename with the TEXT. That is TEXT is a string that is prepended in front of the file name to provide a path. Examples are -m C: to prepend the C:/ in front of each file name to indicate the partition the file came from.
-f|-format FORMAT
Use the following log file format to parse the content of the file. Use -f list to see the list of supported log files. Omitting this options make log2timeline attempt to guess the format.
-u|-upgrade
Check the latest available version of log2timeline and compare it to current version (use to check if there is an available update)
-name HOST
Define the host name that the information is extracted from.
-o|-output FORMAT
Use the following output format. By default log2timeline uses the CSV output. To see a list of all available output formats, use -o list
-d|-detail
Some input modules have the capability to include very detailed amount of information (such as MFT, setupapi and prefetch). This switch will instruct modules to include those details in the timeline, so for instance to tell the MFT module to include the $FN timestamps, or the prefetch one to include loaded DLLs.
-w|-write FILENAME
Specify a file to write output to (otherwise STDOUT will be chosen).
-z|-zone TIMEZONE
This option defines the timezone that was used on the computer that the log files belonged to. The default value for this variable is the local timezone of the computer log2timeline is run on. There is an option to define -z list to get a list of all available timezones.
-Z|-Zone TIMEZONE
This option defines the timezone that is used in the output module of the tool. The default value for this variable is the same value that is defined in the -z option or the timezone of the host. This option is used so that output modules can output in a different timezone than the host is in, for instance to output in UTC even though the timezone of the host is in another timezone.
-t|-temp DIR
This option defines the temporary directory the tool uses. By default the front-end does not set the temporary directory, but allows the engine to automatically detect it. This option therefore overwrites the default temporary directory location.The engine checks the operating system in question, if it is Windows, it will try to determine the temporary path based on the Win32::API (so this might fail on 64-bit systems, perhaps better to use this option to set it manually on those systems). Otherwise it will use /tmp/ as the temporary directory (should work on *NIX systems).
-log FILENAME
Specify a file to write error and information messages from the log2timeline to a file, otherwise STDERR will be used.
-c|-calculate
If this option is used then a MD5 sum is calculated for the file and stored in the timestamp object
-x
Make log2timeline skip some more detailed tests to see if a file truly is in the correct input module. The tool should work faster with this option, however it might miss some files.
-e|-exclude LIST
A comma separated list of files to exclude from the scan. If a particular file has caused the tool to crash or not work, or you simply want to exclude some documents from the scan it is possible to exclude some
-r|-recursive
This option makes log2timeline work in a recursive way, the same behaviour as timescanner.
-p|-preprocess
If log2timeline is working in recursive mode (-r) it is possible to use the -p option to run a set of pre-processors agains the image file. Preprocessors are modules that search through the suspect drive and extract needed information that can be used in other modules, such as hostname, etc.
-v|-verbose
Add debugging information. Possible to use with -v -v to increase some error messages.
-V|-Version
Display the version number
-h|-help|-?
Display this help message

Better description can be read in the man page of the program (man log2timeline).

DESCRIPTION
log2timeline
takes a log file (or a directory) and parses it to produce a body file that can be imported into other tools for timeline analysis. The tool has both a modular based approach to the input file as well as the output file. The current version supports exporting the timeline in a several different body formats. log2timeline is build as a series of scripts, this one being the front-end, which uses other scripts to actually parse the log files (called format files). The tool is build to be easily extended for anyone that wants to create a new format or an output file.

As noted above the default output mechanism is in a CSV file format, which can be easily imported into spreadsheet applications, and parsed by the tool l2t_process. The output format can be easily changed with the -o parameter. The output module can be set to output in a body format that needs to be imported into another tool for human readable format, or it can be implemented to print the timeline directly in a human readable format.

The tool is build using multiple so called input modules. Each of those input modules provide a single format that can be parsed, whether that is a log file or a directory containing some files that need to be parsed.

The purpose of the tool is to provide a single tool to parse various artifacts that are either produced by the suspsect operating system or other systems that might have some logs retaining to the investigation.

OVERVIEW
Furhter description of the parameters

-s|-skew TIME
Time skew of original machine. It is added (or subtracted) from each time (ctime,atime,mtime,crtime) in the bodyfile to compensate for different time in some log files from the “correct” time. The format of the variable TIME is:

X | Xs | Xm | Xh
Where X is a integer and s represents seconds, m minutes and h hours (default behaviour is seconds) It is possible to prepend TIME with a minus sign (-) to indicate that the time skew is a negative number.Example of this usage is: log2timeline -t 1243 (a time skew of +1243 seconds is added to each time)
-m TEXT
Prepend the filename with the TEXT. That is TEXT is a string that is prepended in front of the file name to provide a path. Examples are -m C: to prepend the C:/ in front of each file name to indicate the partition the file came from.
-d|-detail
Some input modules have the capability to include very detailed amount of information (such as MFT and prefetch). This switch will instruct modules to include those details in the timeline, so for instance to tell the MFT module to include the $FN timestamps, or the prefetch one to include loaded DLLs.By default the MFT input module will only include the $STANDARD_INFORMATION timestamps, not the $FILE_NAME. This is due to the fact that in most cases these timestamps may not matter as much. However, especially in intrusion cases, these timestamps play a valiable role. Therefore this option exists to indicate to the tool that it should include the $FN timestamps in addition to the $SN ones.The same goes with the prefetch module. It can potentially include information about all DLLs each prefetch loads up. This might be a very useful information to have when dealing with malware cases, but it might be too much details in most cases. Hence this is omitted now by default, unless the -d parameter is set.The setupapi input module also includes lot of verbose text that can be reduced to make the timeline more concise. This information is now by default omitted in the timeline unless this parameter is turned on.So this parameter tells input modules to include more detailed information about the events. Not all input modules will honor this option, however more might come, and by default this option is not set.
-u|-upgrade
Check the latest available version of log2timeline and compare it to current version (use to check if there is an available update). What this option does is to fetch a file http://log2timeline.net/VERSION, which contains a single number, which reflects the latest released version of the tool. This version number is then compared to the tools version number to find out if there is a new version available on the official site.
-f|-format FORMAT
log2timeline has the capability to automatically detect the format of the log file. If this option is omitted log2timeline will attempt to guess the source file format. However the behaviour can be overwritten with this option. So if the -f parameter is set the tool will only use that input module to test against the log file.It is possible to either define a single input module, list of them or a name of a list file that contains a list of input modules to use.To get a list of all available input modules use the option of -f list.
-name HOST
Define the host name that the information is extracted from.
-o|-output FORMAT
Use the following output format. By default log2timeline uses the CSV output. To see a list of all available output formats, use -o listThis option works the same way as the format file option does (-f) in the way that it searches the output folder for a file called FORMAT.pl and uses that to print the output that has been generated previously by the format file. The tool dies if the script FORMAT.pl does not exist or is of the wrong format (with an exit code of 13).
-w|-write FILENAME
The standard way to output the bodyfile or timeline is by using standard output (STDOUT). That can be overwritten using this option to redirect the output to a file.
-v|-verbose
Add debugging information
-z|-zone TIMEZONE
This option defines the timezone that was used on the computer that the log files belonged to. The default value for this variable is the local timezone of the computer log2timeline is run on. Depending on the supplied artifact it may be written using the timestamps from the original computer’s timezone or it may be written in predefined timezone, such as UTC.If the “-z local” timezone is chosen the tool will print the found local timezone.The option -z list prints out a list of all available timezones that can be chosen.
-Z|-Zone TIMEZONE
This option defines the timezone that is used in the output module of the tool. The default value for this variable is the same value that is defined in the -z option or the timezone of the host. This option is used so that output modules can output in a different timezone than the host is in, for instance to output in UTC even though the timezone of the host is in another timezone.
-t|-temp DIR
This option defines the temporary directory the tool uses. By default the front-end does not set the temporary directory, but allows the engine to automatically detect it. This option therefore overwrites the default temporary directory location.The engine checks the operating system in question, if it is Windows, it will try to determine the temporary path based on the Win32::API (so this might fail on 64-bit systems, perhaps better to use this option to set it manually on those systems). Otherwise it will use /tmp/ as the temporary directory (should work on *NIX systems).
-log FILENAME
Specify a file to write error and information messages from the log2timeline to a file, otherwise STDERR will be used.
-c|-calculate
If this option is used then a MD5 sum is calculated for the file and stored in the timestamp object
-x
log2timeline will by default try to run a minimized test on the input file to determine if it is of the correct structure. For instance only to test the first byte to see if it matches. This could lead to some files not being detected by log2timeline. Therefore the -x option is provided to skip this pre-test and move directly to a more comprehensive test that is otherwise done after the pre-test is successful. This might lead to fewer false positives, but in turn makes the tool a bit slower.
-V|-Version
Display the version number of the tool log2timeline and exit with the exit code 0.
-h|-help|-?
Display a help message explaining the available options to the tool (a simple version of this man page).
-e|-exclude LIST
A comma separated list of files to exclude from the scan. If a particular file has caused the tool to crash or not work, or you simply want to exclude some documents from the scan it is possible to exclude someExample:log2timeline -f winvista -r -z local -e ‘Windows-Diagnosis,secret[0-3]’ /mnt/windowsThis would scan all the directory /mnt/windows recursively, using only modules associated to a Windows Vista or later operating system, and excluding all filenames that have “Windows-Diagnosis” in them or contain the word secret0/secret1/secret2 or secret3 in it.
-r|-recursive
This option makes log2timeline work in a recursive way, the same behaviour as timescanner.
-p|-preprocess
If log2timeline is working in recursive mode (-r) it is possible to use the -p option to run a set of pre-processors agains the image file. Preprocessors are modules that search through the suspect drive and extract needed information that can be used in other modules, such as hostname, etc.

EXAMPLES

log2timeline -f list
Print a list of all available format files.
log2timeline -f firefox3 -z EST5EDT -w /tmp/bodyfile places.sqlite — -u JOE 2> /tmp/body.log
Use the Firefox 3 history parser to parse a places.sqlite file that contains history information. Prepened the output with information about the user that owned the file, in this case the user JOE owned this history file. The output, which is in the TLN format will be written to the file body, while all log messages are written to the file body.log (STDERR is redirected to a file)
log2timeline -z local -f squid -s 2h access.log > squid.body
Parses an access log file from Squid to produce a body file that is output into the file squid.body. Two hours are added to each time in the timeline to correct the time settings of the log file that is parsed.
log2timeline -z GMT -f prefetch WINDOWS/Prefetch >> case.body
Parses the content of the Windows Prefetch directory and adds the timeline to the already available case.body timeline.
log2timeline -f recycler -z local -o sqlite -w /tmp/rec.sql RECYCLER/S-1-5-21-…./
Parses the content of the INFO2 file, found inside each recycle bin and prints out information into a SQLite database (/tmp/rec.sql).
log2timeline -z local -f winxp -r -p /mnt/analyze
Make log2timeline recursively go through the mount point /mnt/analyze using the available input modules that are stored inside the winxp list file (those that are relevant to a Windows XP machine). Before running the recursive scan the pre-processing modules are ran against the image to gather information from it.