As we mentioned in a previous blog post and in our presentations, we have recently been focusing our attention on the Reconstruction Phase of the digital investigation process. During the Reconstruction Phase, a digital investigator will attempt to organize the analysis results to help develop a theory about what happened during an incident. One method investigators have traditionally used to organize file system analysis is to elucidate the temporal relationships between digital artifacts. This technique is referred to as temporal reconstruction.
Dan Farmer demonstrated the usefulness of temporal reconstruction of filesystem events with the 'mactime' program. In fact, he called mactime "the most potentially valuable forensic tool in your digital detective toolkit" (Farmer, 2000). Rob Lee eventually extended this work with the 'mac_daddy' program and finally these tools were combined by Brian Carrier into the SleuthKit's versions of 'mactime' and 'mac-robber'. Recently, Florian Buchholz has also done a lot of interesting research exploring the characteristics of these temporal relationships and demonstrating the value of being able to combine disparate data sources, Zeitline.
In this blog entry, we will demonstrate how digital artifacts extracted from volatile memory analysis can be combined with artifacts from file system analysis to help reconstruct a more complete understanding of the digital crime scene. In fact, volatile memory analysis often provides the context necessary to link seemingly disparate events and their related artifacts, in ways that are not possible with typical live response tools. Using these temporal relationships, we have also been able to develop "temporal incident patterns" allowing us to quickly discern tools and techniques that may have been involved in an incident based on their "temporal footprints". We have also found that the ability to visualize these temporal relationships is invaluable for both presentation and knowledge discovery.
The following images will help demonstrate how a digital investigator can use both volatile memory analysis and visualization to improve temporal reconstructions of the digital crime scene. The file system events used to populate the time line in the images were generated using the Sleuthkit's 'mactime' program. These instantaneous events are represented in the image with blue dots and relate to the time attributes (LastWriteTime, LastAccessTime, CreationTime, etc) associated with files and directories in a file system, MACtimes. The following image is a visual time line representation of a filtered set of file system events.
In the next image, we augment the time line with events extracted using live response techniques, one type of run time state analysis. Live response allows us to extract events about objects that were active on the system when acquisition was performed. This could be extracted with your typical live response toolkit (RAPIER, WFT,etc). The red dots in this image are used to denote when a process was created. Unlike the file system events, this is a duration event since it has both a start time and an end time. In this image, the end time relates to when the live response was performed, represented by the gray dot. The green dot, another instantaneous event, represent when a process binds a specific port address to its socket. This augmented time line can be seen in the following image.
The final image demonstrates how using volatile memory (RAM) analysis to perform run time state analysis can be used to further augment our temporal reconstruction of the digital crime scene. In this case, the temporal events were extracted from volatile memory using Volatility. In contrast to the previous image, we are not only able to augment the time line with those objects that where active when live response was performed but also with objects that may have been relinquished by the operating system. The blue dots in the image once again represent file system events. The red dots represent process creation events, except this time a process duration event ends with memory acquisition or when a process exited. The green dots relate to binding sockets and the grey dot relates when memory acquisition was performed. The final augmented time line can be seen in the following image.
The purpose of this blog entry was to demonstrate the usefulness of being able to augment temporal reconstruction with both visualization and volatile memory analysis. In the final image, we can easily see how including volatile memory analysis and visualization allow us exploit temporal locality and volatile context to develop theories about the incident. We have found this to be invaluable during the reconstruction phase of the digital investigations process.
Despite the usefulness of these techniques, it is important to keep in mind that timestamps can be manipulated by a determined adversary and recently tools, such as timestomp, have been created to frustrate temporal reconstructions of filesystems. Recent research has also discussed important considerations for the digital investigator as they work with temporal data. Temporal reconstruction is not the panacea but a digital investigator should combine many types of analysis techniques during their digital investigations.
More details to follow ...