Only a qualified computer forensics expert from a company such as Compute Forensics should be selected to perform forensic data collection. You can call us on +44 (0)203 5989658, email us at expert@compute-forensics.com or ‘Live Chat’ to a computer forensics expert witness by clicking on the red tab at the left of the website. Compute Forensics offers a global collection service for e-Discovery firms, Digital Forensic firms and businesses under litigation. Compute Forensics can provide training and equipment to IT departments that require the collection skills themselves as to give a lightning response that is needed when the need arises.

Introduction

This article is designed to be a general overview of the actions, programs and techniques used in data collection before scenarios such as a digital investigation of a recently departed employee or for an e-Discovery litigation hold.

What is Forensic Imaging?

Forensic imaging, in a nutshell, is the act of gathering data in a court accepted fashion from digital media to a Veracrypted encrypted output device where possible. That data may come from a live system, a dead PC, DVD, iMac, USB disk, X-Box or remote mailbox. Those are just a few examples.

Typically, the source media should be placed into a blocked state when being read and the data outputted to an attached destination disk with read/write access. It is essential contiguous notes of the system and steps taken are made while the imaging is taking place. The forensic imaging should be done by a certified, experienced digital forensics expert witness or at least an individual with collection training and IT knowledge.

On certain occasions blocking writes to the source media may not be possible such as if you are presented with a live system server or an encrypted system that is discovered switched on. In these instances, the image must be taken live as not to disturb a server or re-encrypt an unlocked disk.

In addition to noting the collection process, it is important to note the physical location of the evidence and store it in a compliant manner and always gain signatures when handing over data.

Tip: As a rule, if the system is switched off leave it that way. If it is changed on leave, it switched on but take the computer, laptop or phone off the network and connected to power. For a computer that may mean unplugging the network cable, sliding a switch to ensure WIFI is off, pulling out a dongle, popping out a network card or disabling networking in the control panel of the operating system. For a tower computer, it may mean just pulling out the Ethernet cable.

What is a Physical Forensic Image?

A physical forensic image is a full ‘bit for bit’ copy of the particular media. This includes every byte of data from the live file system to the unallocated deleted areas of the disk.

The forensic image may be outputted in some formats such as a simple format agnostic raw dd image format, the common EnCase E01 evidence image or the less common Advanced Forensics Format (AFF). If you wrote this forensic image back to a disk in its raw format (FTK has this functionality) with the same capacity, it would be identical in every way to the original. From this image, a computer forensic analysis would be conducted as not to risk damaging the original.

I have personally experienced occasions where forensic software wasn’t used to collect the data for some reasons like a RAID wasn’t being recognised on older systems or the disk was not being read in Windows. In these instances, something akin to a bootable Clonezilla Live distro may be used to produce the image. When doing so always explain your reasoning in notes and find the verify or MD5 hash the result if necessary. Getting something is better than walking away with no data at all. Again this should always be done by a qualified person that is well versed in forensic imaging.

What is a Logical Forensic Image?

A logical forensic image or skeleton image is a particular copy of certain files from a source. Many programs can produce logical images: Stefan Fleischmann’s excellent X-Way’s Imager, the superb and free FTK Imager or new on the scene Magnet’s Acquire software can be used to do this in a Windows environment.

A logical acquisition is the option to use if the digital expert requires a targeted collection for litigation reasons, just a few files of interest are needed, or the client collect wishes you to collect from one or more custodian’s user profiles from a server that may have many users.

In an active state, FTK Imager Lite as shown in Fig 1, can be executed from the destination disk on the computer you wish to extract from as not to write to the live computer by installing software to the source. A custom content list can be built into the programs user interface, and a logical forensic image file is thus produced.

FTK Imager can be used to mount forensic images to view in Windows Explorer, build custom content images of live machines, image RAM (random access memory) from a live system, view and export from Linux/Mac/Windows filesystems and most commonly forensically image a hardware or software writeblocked device to an external disk. FTK Imagers only drawback is when an examiner images a damaged disc the software fills in the unreadable sectors with 0’s. Not attempting to read the drive is unacceptable when a data recovery solution such as ‘ddrescue‘ may recover a whole email collection where the forensic tool fills what it can’t read with 0’s. In an investigation or legal hold, every byte counts! I have been the examiner that has acquired 100% of an image where others had to explain in court why some sectors weren’t imaged.

Fig 1 FTK Imager Version 3.3.0.5 the Crème De La Crème of Forensic Imaging Tools

On a live Mac you may want to produce a full image using a bootable Linux forensics distribution such as Caine then go on to build a list from that main image onsite should the client not want all the data walking off site. There are other solutions like BlackBag’s convenient MacQuisition.

Verification MD5 and SHA1

The verification information is hardcoded inside the metadata of the image in the case of most advanced forensic image formats such as E01, AD1, and AFF. A log is produced by any decent imaging software with a verification sum generated for the forensic image to signify the image is identical to the original. Verification is done so that the professional examining the image can be sure the image hasn’t changed since it was taken by checking the MD5 or SHA1 hash sum or other before commencing the investigation.

Fig 2 displays an example log auto-generated by AccessData’s FTK Imager. The imaging log gives forensic experts some information about the physical capacity of the disk, serial number and some of the notes I have used. In this case, the image was a server that was running a virtual machine. FTK imager was run live in this instance in the emulated environment, and the image was outputted to the emulated physical disk. Another option is shutting down the virtual machine image and logically copying and verifying the file or indeed the whole of the servers physical disk. Shutting down a server may cause financial loss to a firm and disruption if the server is in use. If it is on image the machine while it is in that state while taking notes, that is my recommendation.

Fig 2 – Example Forensic Imaging Log File Automatically Generated by FTK Imager Lite V3.1.1.8

Email E-Discovery Collection

Anyone collecting emails should be sure that emails on the local computer mailbox match the server. If they don’t then it is good practice to receive from both anyway and let the software de-duplicate the items, so you obtain a complete picture of the emails in the forensic search. Computers were after all invented to take the labour out of tasks.

Emails can appear in many forms (Lotus Notes NSF archives, Microsoft PST/OST’s, or individual EMLX or MSG files) and may not even reside on the custodian’s hard disk or smartphone under investigation. Other places they could be discovered are on enterprise servers, as a fragment in the deleted areas of a hard disk or even on the cloud via services such as Gmail for business or Microsoft 365. The email archive may also carry encryption so you may get a Lotus Notes NSF email archive file; without the unlock ID and a tool to open you will run into trouble, which goes for password locked PST’s too.

A computer forensic collection of emails may be as simple as collecting a PST email archive file that resides locally on an individual’s laptop, server or user share.

A more complex instruction may need the collection of specific emails that contain only certain keywords on a Microsoft Exchange server while keeping the integrity of the email attachment/mailbox structure. In these more complex situations an E-Discovery collection expert and your client may need to cough up for Discovery Attender by Sherpa Software, this excellent program plugs into your exchange server and can search, filter and extract onsite. You could also attach FTK with an enterprise agent or even image the whole disk and search from that image onsite.

I have created a summary guide below of the best tools in my experience in email E-Discovery collection:

Summary of Email Formats and Best Tools for E-Discovery Email Collections

• Local PST/OST Just logically collect an image using FTK Imager or similar. Be sure to hash verify the collected items if copied and make notes!
• Webmail such as Gmail/Hotmail/Yahoo/365 Etc Use Intella’s PI or the chopped starting at $100 for a 10GB case limit. Using IMAP settings (and permission!) you can collect the whole remote email archive as the binary file and export as a PST file. All these actions carry a full audit log. Many webmail providers such as Gmail have a built-in option to backup and download the whole archive; you may also consider this.
• Microsoft Exchange Database It is possible to just download the whole EDB file and process in FTK 5.6 the full version or later. You could export different custodians as a PST, search, and filter if needed. If you need a few custodians, then something like MessageOps is convenient. You can install the software on the server, and with admin, credentials run through and select the custodians you wish to export from. The results are outputted as nicely packaged PST’s along with a log file for verification. Dated indigenous X-merge can also export mailboxes as a PST, but it has a 2GB limit and can be a pain in more extensive collections.
• Lotus Notes The mailbox can be exported from the custodian machine in its entirety in the GUI options of the mail user interface. This approach is great if you have a few especially the admin ID file that contains the decryption keys. Then Proofinder or FTK 5.6 or later can be used to mount and read these archives. You may want to collect direct from the server. In the live environment, you may find the archives don’t copy. Use Teracopy or Robocopy or something similar to copy stubbornly locked files in a live setting. It is quite likely Samsung, or similar doesn’t want its Lotus IBM Domino database of 1000 users shut down for 20 hours while it is being imaged! If you have never encountered Lotus Notes before it is because it is antiquated and belongs in the dustbin of history; you needn’t a Delorian or the Doc to go back in time a few minutes in the dated GUI with fool anyone into thinking it is 1994!
• Loose or Deleted Emails These can be recovered from the server or local by using a data recovery program such as the ugly but effective photorec as shown below Fig 3. Data Recovery should be made from a previously produced forensic image. If an image is not possible an experienced computer forensics collection expert would run photorec live from an external disk and output the data to that same external disk. Emails may also be logically recovered from the email admin interface or reside on the server even though they have been deleted from the custodian’s machine.

Warning: Do not install data recovery software to the drive you wish to recover from or worse still output the retrieved data to the source drive.

Fig 3 – PhotoRec TestDisk’s Beautiful and Modern User Interface

Physically Forensic Imaging Using a Hardware Writeblocker

Many Computer Forensic companies such as Compute Forensics choose to use a hardware write blockers in many instances. A writeblocker is just a device that halts any writes to the disk from the forensic examination system when copying or viewing. This is shown in Fig 4. A computer forensics examiner would then go on to attach this device to a USB 3.0 socket on the examination computer’s USB 3.0 port for optimum speed. Making sure the evidence disk is in ‘Locked Mode’ it can be attached to the device. The disk should then show up in Windows Explorer and FTK Imagers ‘Add Evidence’ GUI option. The device should now be safe as it is now attached to a hardware writeblocker.

Writeblocking devices used to cost £1000’s but recently Compute Forensics discovered a decent one built by CoolGear. The Coolgear forensic imaging device has USB 3.0 support and images 2.5″ and 3.5″ sizes of SATA drives. You can pick one of these up for £40.00. I, Alistair Ewing, have tested the CoolGear forensic writeblocker and am content with the performance. It is fast and reliable.

Imaging Bottlenecks

The device will only read/copy as fast as the slowest component. On average it takes 4-8 hours for one disk to complete despite companies boasting 500mbs second speeds the device will image anywhere from 1mbs to 80mbs-100mbs. A skilled examiner can copy up to 8 drives at once, much like spinning plates. Collection costs can start at around the £700 a day mark dependant. If you are a company instructing us, please don’t complain if your rickety 15-year-old IDE disk is taking too long to copy!

Fig 4 – CoolGear USB 3.0 Forensic Writeblocker Attached to a 3.5″ SATA Hard Disk Drive

Forensic Imaging Using any SATA/IDE to USB Adaptor and Software Blocking

Another unorthodox method I have used in the past when the drive attached to the write blocker won’t read, or you need a special adapter that isn’t IDE or SATA. This method uses a software blocker and a USB to SATA, IDE, memory card or whatever adaptor. Make sure the destination drive is a USB 3.0 external drive for speed. A software writeblocking program is used in this instance. Usage is simple but also easy to screw up.. Royally! The steps are:

1) Plug in your destination drive.

2) Start Ratool or Thumbscrew and select ‘Block USB Storage Devices’ and then apply changes.

3) Plug in a test USB disk and try and delete format it. Windows shouldn’t allow writing access to this disk.

4) If it does repeat step 2) & 3) until the drive is blocked. When blocked it is safe to plug in the USB disk and adapter in the port that you plugged your test device into the system.

5) Now you should have your destination writable (anything previously plugged in will be writeable too) and your evidence USB stick, Drive or Card plugged in but blocked.

6) Use your favourite imaging software such as FTK imager or Magnet Aquire. Output the full physical disk to your destination disk. Be sure to make continuous notes of what you are doing, videos, pictures of the system and be sure to check the image has been MD5 verified by the hash sum, then you can be sure the copy is identical to the original.

Forensic Imaging Using a Forensic Bootdisk or USB

Using a bootdisk is the preferred method as you don’t need to waste time opening up a drive. The operating system uses the system as a terminal device, and the hard disks are by default blocked. This method works on most Macs, Windows and Linux systems.

Caine, Paladin & Deft – 3 Free Computer Forensic Bootable Linux Distros

Firstly download a distro, my favourite is favourite is Caine. Famous actor Michael Caine assembles it (Only kidding it is made by Italian consultant Nanni Bassetti!). Another great free distro that you have to register to obtain is Suri’s Paladin, see Fig 4. Download the ISO from the website then burn the ISO to a DVD or use Rufus with default settings to make a bootable USB disk. To produce a bootable USB in Rufus merely select the USB stick, click the disk logo and locate the ISO you just downloaded then hit the start button and wait for your bootable USB to be prepared. Always have a copy of DEFT or Helixhandy on a compact disk rather than DVD in case you are working on a device that won’t boot from DVD or USB. from a device that won’t boot from DVD or USB.

Fig 4 Paladin’s ToolBox Imaging Graphical User Interface in Linux Running in Live Mode on a Host Machine

Booting Your Computer Forensics Distribution in the Bios

Before any booting of the system from a switched off state do some research into what key combinations trigger the boot disk. It varies, on a Mac hold the ‘Option Key’ or ‘C’, on a Windows system it could be anything from ‘F1’ or ‘Del’. Take time to look through this list before switching to the system in preparation for booting into a Forensic OS. If you get it wrong, you may boot into the operating system if this event occurs switch the computer off by the button (if safe) or pull out the power cord.

Then the general idea is to use a GUI program such a Guymager as shown in Fig 5 to acquire the media to the destination drive without removing the disk while preserving the integrity of the drive. You need to remember to unlock your destination drive.

Fig 5 Guymager Forensically Imaging 2 Attached Disks USB Disk

Remote Forensic Imaging over a Network

A computer forensic examiner would place a clean virus free computer on the network and attach to the companies domain. Using Encase Enterprise or FTK v5.6+ a computer forensic examiner, with root access, could push an agent to gain access to a remote system. The RAM could be examined for malware and Physical Disk in Read-Only mode. The examiner could then review the computer in real time to produce a logical forensic skeleton image of only the files that are of interest. Alternatively, the examiner could copy the disk remotely and have it outputted to a secure location on the server or locally.

If the user profile exists on the server, it might be sufficient to mount the remote disk or user share in logically in Windows by selecting ‘Map Network Drive’ and using FTK Imager to image the contents locally logically. The local machine should be physically copied where possible in addition to the remote user directory for completeness.

Forensic Imaging Mobile Phones – iOS, Blackberry, Windows and Android

If you come across a phone place it in aeroplane mode or switch it off immediately as it is easy to wipe a device remotely using iCloud’s ‘Find My Phone’ or Similar apps of that ilk.

For a mobile phone forensics expert Magnet’s free software Aquire, CellBrite, UFED and XRY can be used to grab an image logically and physically of a mobile device. A logical grab will obtain the filesystem and no deleted data (except items in the SQL databases that can be logically recovered and scraped from these databases).

A physical ‘Hex Dump’ of a mobile device is the holy grail of mobile acquisition. Hex dumping entails the device to be rooted or jailbroken as so a 3rd party app can exploit the phone allowing the device to be imaged much like a computer hard drive. From this image, deleted data can is gathered.

Mobile Phone Backups

It is also worth a mention that Mobilebackups in the form of BBB/IPD Blackberry backups and Mobilesync backups for Apple may exist on the computer system seized that can be read much like actual mobile device if for some reason the device is no longer available. These backups may contain messages, photos and chat conversations.

Thank you for reading my overview of forensic imaging. I hope it was informative.

By Alistair Ewing Director of Compute Forensics

Introduction

So you are work in human resources, or you are a business owner and are concerned that an incident has occurred or may have occurred? Data may have been emailed or taken out from an ex-employee, or you may have even been hacked. Your first instinct may be some actions or non-actions such as: calling the IT department, pull the plug on the item, leaving the piece on and networked, hire “Bob the computer expert” from down the road or even to have a look at the computer or phone yourself. Any of these options may end in disaster through accidental evidence deletion, evidence destruction and you may be liable having to explain your wrong actions in court or a tribunal.

The IT staff may be in on the incident or involved so with this in mind be sure to investigate a ‘need to know’ basis.

Pulling the plug, as what was done in the past, this may mean the loss of vital encryption keys in the RAM (the computers volatile working memory that is lost when switched off) on Macs, Linux and Windows machines.

Leaving the computer on the network may expose the device to being wiped remotely by the culprit. The assumption here is: The IT department or the director is not forensically trained and neither are you so leave well alone unless you know what you are doing!

Real Case Example Disaster – The Client that Installed Programs on the System to Perform the Themselves

I have experienced cases where the IT department has installed a data recovery program such as Recuva to the disk they wanted to recover from and had the recovered files outputted to that same disk. The actions as mentioned earlier caused the areas that could be retrieved from to fill up with the recovered data and the newly installed program, defeating the purpose of recovery! Not only did they lose valuable data, the recruitment firm’s client list on that computer, The organisation, but also had to explain why they meddled with the system after the event to the opposing parties team in the tribunal. Lucky it was discovered that a list matching the name and size was emailed out. Additionally, a fragment of that list was found in the file slack of another file. The file slack is akin to the unused space at the end of a physical file size space that hasn’t thoroughly been wiped over by the new logical file, invisible to most users. The spreadsheet didn’t exist in its live form, but the fragments and metadata were also discovered using an advanced forensic search.

Evidence Tampering.Deletion by the Culprit

If you are aware, the culprit has tried to format the disk or use wiping software such as CCleaner don’t worry a computer forensics expert should have experienced any number of these occurrences on a weekly basis and is trained to deal with them. Chances are you will make things worse by trying yourself. More often than not their tampering leads to more evidence against them of a cover-up!

Commencement of Search and Seizure

Data exists on computers, external drives, DVD’s, CD’s, mobile phones, memory cards, memory sticks and a plethora of other potential digital media. Make sure you don’t overlook anything in your search. Make a list of the time and date you seized these items along with some photos, videos, serial numbers and any other identifying features you can record. Don’t make anyone aware until you are sure the data is onsite and right before the seizure.

Tip: Sweep your Offices for Hardware Keyloggers and Voice Recording Devices in your

Concerned about intellectual property walking out of your organisation? Often people may not have the skill to hack or install software keyloggers. Hardware keyloggers such as KeyGrabber can log every keystroke, and they appear as innocuous devices on the back of tower computers that plugin easily behind the keyboards. Fig 1 is an example of such a keylogger.

Fig 1 Keylogger Plugged into the Posterior of a Computer Tower

Other Devices

Unscrupulous individuals and gangs have been known to put voice/SMS/telephone bugs in bins or under desks to record conversations. Don’t overlook this. I have come across this in an insider trading investigation where nothing was found on the actual computer, but the office was bugged. Remember there are many ways to steal IP (intellectual property). More advanced bugs now exist that act as a WIFI dongle record traffic such as passwords and then email the booty to the culprit. Even worse is the KeyGrabber module, this is actual implanted inside the computer and are nigh on impossible to spot to the uninitiated. If a logger is discovered, hand this device over to the professional digital investigator.

Protecting the Integrity of the Digital Evidence

It is important not to leave the device anywhere it can be tampered with by the unscrupulous. The culprit or sympathetic co-worker could access the item and tamper with the data. If possible lock the room with the items in, make sure only you have access.

Disabling Network Access on the Computer

If the evidence is a Laptop unplug the network cable at the posterior of the computer, switch off the WIFI switch if there is one showing the WIFI symbol or physically pop out the PCI network card with the computer on. You may also switch off disable the adaptors in the settings if possible. Make sure the item is plugged in and switched on so it doesn’t power off. Try to disable sleep and auto lock in settings or control panel on the system if possible.

If the evidence is a computer Tower  is switched on and logged in disable auto lock and sleep in the control panel. Pull the network cable from the back, pull any WIFI dongle, unscrew the aerial from any protruding card and disable WIFI if it exists on the tower. Try to keep the tower on and not networked if possible. Logout and shutdown only if you are sure there is no BitLocker, FileVault or Trucrypt encryption on the devices. Make notes with times and dates of your specific actions.

If you are not sure about this, please contact a computer forensic expert at Compute Forensics or another organisation proficient to do this. At this stage, it is important to recognise you are just protecting the computer from:

a) Physical Tampering

b) Remote Tampering until an expert arrives on the scene.

Note: if you are sure a cryptovirus or another tool is working in the background on the machine and you know the BitLocker, FileVault or Truecrypt/VeraCrypt password or key or that there isn’t one then it is probably wise to unplug the computer from the power cord or remove the battery. An incident response expert can then attempt to salvage what hasn’t been decrypted and decrypt what has been.

The reason for leaving the system on is at a later stage, and if the computer is on, the digital forensic expert would image the RAM as well as locked registry files and indeed the unencrypted logical image of the unlocked hard disk if the disk is encrypted. Then the examiner would go on to take a full physical copy of the device to follow proper practice procedures. If the item encrypted and off then the examiner may have to crack the password.

Damaged Drive?

Don’t be tempted to use recovery software. The more you use a faulty disk, the less likely a successful recovery will occur. Our experts have been known to image faulty devices while onsite successfully. More often than not the equipment isn’t defective but has just been formatted or modified by the culprit.

Mobile Device Forensic Imaging

If you find a phone on site, put it into aeroplane mode as to stop any remote tampering or switch it off. A Logical image (just the filesystem) and the holy grail of forensics ‘the complete physical image’ (included files system and deleted areas) can be taken when the examiners are onsite.

Don’t worry if this isn’t possible. Backups often exist unwittingly on the suspect’s computer. The data discovered can often yield as much or often more than the live phone data.

Call the Computer Forensic Expert

It is now the incident response experts turn to arrive on the scene take notes and forensically collect the data. The basic premise is that where ever possible the computer forensic expert would collect the data without changing it, along with contiguous notes that can confront rigorous testing in court. Using a forensic blocking device, a forensic Linux distribution or a remote method the expert would then go on to collect the data for analysis and output this verified copy to an encrypted disk.

What Happens Next?

The computer forensic examiner would then go on to examine the forensic copies, not the original disks. This technique is to preserve the integrity of the evidence and not to damage the originals.

A robust digital timeline would probably be needed to be produced to examine the chain of events that occurred. Computer Registry in Windows or Plist files and logs in Mac would generally be probed to discover when programs were run, what was connected to the system and much more. The timeline goes into every event log, internet history and registry item and outputs the results as a table. This table can be painstakingly analysed to correlate the suspect wrongdoings against times and other evidence such as CCTV.

Internet history, chat and email can be recovered using data recovery techniques along with deleted files such as Word and Excel documents. Along with the files, useful metadata can tell us which user the item was last saved by and when the article was copied to a particular location and much more.

The drive can be indexed to allow powerful keyword searches across the data. This searching can search inside files content, its metadata as well as deleted fragments. Powerful searches are not standard for Windows or Macs! Preparation by HR of keywords, dates and times aids the examiner considerably.

Malware can be discovered by scanning the mounted disk using powerful anti-virus software as well as by manual more time-consuming methods such as reverse engineering and running the item in s safe environment.

Using what was found the events can be put together into an expert technical report to ascertain what had happened and possibly reprimand the suspect.

Written by Alistair Ewing of Compute Forensics

______________________________________________________________________

Contact us and we can provide a training solution for your IT department in evidence handling, forensic imaging of ex-employees devices and legal admissibility standards. If you are worried about security consult with us in regards to our pen testing options.

The sooner data is collected, the better. It is better the examiner has experience as an expert witness and is Sweet, and Maxwell vetted rather than hiring someone that is just IT savvy.

Please don’t hesitate to email us at expert@compute-forensics.com or call +44 (0)203 5989658 now should you have an incident.

What is the best method for analysing an intrusion or indeed for most computer forensic cases? It is the production of a super timeline. A timeline quickly highlights a chain of events that occur, a super timeline using a Linux based tool named log2timeline. This software produces the mother of all schedules. It merely creates an amalgamation of all the events contained within a system such as event logs, metadata, internet history and user actions and is an invaluable asset for analysis of a hacking event or incident.

If you are not proficient in computers or require an expert to produce and analyse this timeline, then please visit our website. Sans, a training computer forensics organisation, provided an excellent cheat sheet that can be viewed/downloaded from here. It is a little detailed, and I wanted to simplify it for those who never produced a ‘supertimeline’ before.

DISCLAIMER: YOU MAY NEED AN EXPERT TO DO THIS IN YOUR ORGANISATION AS COLLECTING THE DATA INCORRECTLY AND NOT DOCUMENTING STEPS MAY RESULT IN EVIDENCE THAT DOESN’T STAND UP IN COURT!

Log2timeline in Caine

Log2Timeline Basic Use

The tool ‘log2timeline’ can be executed against a remotely connected network device, an E01 or DD image or a mounted image directory using Linux. The easiest way to create one is the ‘Hail Mary’ approach, that is to say, dump all the data (web history, reg, link, evtx etc.), mount or present the image to Plaso or super timeline. Then output the ‘dump’ file to a storage medium. You can then use another command line tool to output the timeline to a useful format (CSV) or filter using dates etc. Calc or Excel can then be used to filter dates or other fields, beware that these office tools can panic when handling massive data sets 200mb+. 4n6time is a tool you can use to analyse the events graphically; there are others.

Example of Basic Log2TimeLine Usage the ‘Hail Mary’

1) Download live Linux distribution Caine v7.0 or later. Boot this in a virtual machine such as VirtualBox or VMware. Alternatively, you could burn the iso or use Unetbootin to make a bootable USB version of the software.

Caine, My Personal Favourite Linux Forensic Distro

2) Connect your disk containing images in Read/Write by right-clicking on the disk icon and selecting R/W mode.

Read/Write GUI Mounting Icon

You have to select the disk desired using the tick box then select ‘OK’. You can use this disk to write your plaso timeline file. If live evidence is being used such as a server mount the location in read mode. Mount the image using one of the GUI tools provided in the Linux distribution Caine or point log2timeline to the actual image file. If the image is dd or even E01 you can just point the tool to the location path: remember to include the file name and extension. Have somewhere in read-write mode mounted to push the outputted timeline which will be a ‘plaso’ file.

Caine’s Mounting GUI

3) Update your system, Open Terminal [Optional may cause issues!]:

sudo apt-get update

Then upgrade it:

sudo apt-get upgrade

Be sure Ubuntu Universe is installed and available:

sudo add-apt-repository universe

Update again:

sudo apt-get update

Add the GIFT PPA:

sudo add-apt-repository ppa:gift/stable

Update again:

sudo apt-get update

Now install Plaso:

sudo apt-get install python-plaso

4) Mount the image using one of the 2 GUI mounting tools,FMOUNT is my favourite, in Caine v7.0. Another way is to is to point the program at the location of your image e.g.: ‘media/sdb1/foldertoputinimage/image.e01’ (remember to have no spaces in this path!

FMOUNT Select your Forensic Image (Split Images Supported)

5) Create the Timeline: Paths can be copy and pasted from the web bar of Caine’s Explorer type interface.

Copy and Paste Paths from the Explorer, as Typing Long a Path can Result in Errors

Open log2timeline from the menu and enter something like this: [comments in brackets, do not use in Terminal!]:

sudo [admin command] log2timeline.py [The software used] -z Europe/London [z- is the time zone flag, be sure to use capitals and find your desired timezone dependent on the case here, pick the location desired and insert after flag] –status_view window [Adds status window optional can cause errors) /path/to/nameyourfile.plaso [output location] media/sdb1/foldertoputinimage/image.e01 [Windows or Image Directory the path can be copied from the ‘computer’ window similar to explorer]

Hit ‘return’ and wait. The process may take a long time.

6) Output the timeline into another format, open Terminal and input something like this:

sudo psort.py -o [Output Format CSV] l2tcsv w- [Storage Path] /mnt/hgfs/CaseSensitiveWindowsPath/YOURCSVTIMELINE.csv [Location of your Plaso Dump] /mnt/hgfs/CaseSensitiveWindowsPath/nameyourfile.plaso

7) Viola! You have produced your very own supertimeline.

8) For an analysis in excel or calc, the contents of the spreadsheet may be pasted into a template found here.

• Download it – Open Timeline Color Template
• Switch to Color Timeline worksheet/tab
• Click on Cell A-1
• Select ‘DATA’ Ribbon
• Import Data “FROM TEXT”
• Select log2timeline.CSV file
• TEXT IMPORT WIZARD Will Start
• Step 1 -> Select Delimited ->Select NEXT
• Step 2 -> Unselect Tab under Delimiters -> Select Comma under Delimiters -> Select NEXT >
• Step 3 ->Select Finish
• Where do you want to put the data? Simply Select OK.
• Once imported View -> Freeze Panes -> Freeze Top Row
• Optional Hide Columns Timezone, User, Host, Short or Desc (keep one of these), Version
• Select HOME Ribbon
• Select all Cells “CTRL-A.”
• In-Home Ribbon -> Sort and Filter – Filter

Resources:

http://www.caine-live.net/

https://github.com/log2timeline/plaso/wiki